---
# Source: antrea/crds/antreaagentinfo.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: antreaagentinfos.crd.antrea.io
  labels:
    app: antrea
spec:
  group: crd.antrea.io
  versions:
    - name: v1beta1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            version:
              type: string
            agentConditions:
              type: array
              items:
                type: object
                required:
                - type
                - status
                - lastHeartbeatTime
                properties:
                  lastHeartbeatTime:
                    type: string
                    format: date-time
                  type:
                    type: string
                    enum: ['AgentHealthy', 'ControllerConnectionUp', 'OVSDBConnectionUp', 'OpenflowConnectionUp']
                  status:
                    type: string
                    enum: ['True', 'False', 'Unknown']
                  reason:
                    type: string
                  message:
                    type: string
            localPodNum:
              type: integer
              format: int32
            nodePortLocalPortRange:
              type: string
            nodeSubnets:
              type: array
              items:
                type: string
            apiCABundle:
              type: string
              format: byte
            ovsInfo:
              type: object
              properties:
                version:
                  type: string
                bridgeName:
                  type: string
                flowTable:
                  type: object
                  additionalProperties:
                    type: integer
                    format: int32
            networkPolicyControllerInfo:
              type: object
              properties:
                networkPolicyNum:
                  type: integer
                  format: int32
                addressGroupNum:
                  type: integer
                  format: int32
                appliedToGroupNum:
                  type: integer
                  format: int32
            apiPort:
              type: integer
              minimum: 1
              maximum: 65535
            podRef:
              type: object
              properties:
                kind:
                  type: string
                namespace:
                  type: string
                name:
                  type: string
                uid:
                  type: string
                apiVersion:
                  type: string
                resourceVersion:
                  type: string
                fieldPath:
                  type: string
            nodeRef:
              type: object
              properties:
                kind:
                  type: string
                namespace:
                  type: string
                name:
                  type: string
                uid:
                  type: string
                apiVersion:
                  type: string
                resourceVersion:
                  type: string
                fieldPath:
                  type: string
      additionalPrinterColumns:
        - description: Health status of this Agent
          jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status"
          name: Healthy
          type: string
        - description: Last time the Healthy Condition was updated
          jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime"
          name: Last Heartbeat
          type: date
        - description: Version of this Agent
          jsonPath: ".version"
          name: Version
          type: string
          priority: 1
        - description: Node on which this Agent is running
          jsonPath: ".nodeRef.name"
          name: Node
          type: string
          priority: 1
        - description: Number of local Pods managed by this Agent
          jsonPath: ".localPodNum"
          name: Num Pods
          type: integer
          priority: 2
        - description: Subnets used by this Agent for Pod IPAM
          jsonPath: ".nodeSubnets"
          name: Subnets
          type: string
          priority: 2
  scope: Cluster
  names:
    plural: antreaagentinfos
    singular: antreaagentinfo
    kind: AntreaAgentInfo
    shortNames:
      - aai

---
# Source: antrea/crds/antreacontrollerinfo.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: antreacontrollerinfos.crd.antrea.io
  labels:
    app: antrea
spec:
  group: crd.antrea.io
  versions:
    - name: v1beta1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            version:
              type: string
            controllerConditions:
              type: array
              items:
                type: object
                required:
                - type
                - status
                - lastHeartbeatTime
                properties:
                  lastHeartbeatTime:
                    type: string
                    format: date-time
                  status:
                    type: string
                    enum: ['True', 'False', 'Unknown']
                  type:
                    type: string
                    enum: ['ControllerHealthy']
                  reason:
                    type: string
                  message:
                    type: string
            serviceRef:
              type: object
              properties:
                kind:
                  type: string
                namespace:
                  type: string
                name:
                  type: string
                uid:
                  type: string
                apiVersion:
                  type: string
                resourceVersion:
                  type: string
                fieldPath:
                  type: string
            networkPolicyControllerInfo:
              type: object
              properties:
                networkPolicyNum:
                  type: integer
                  format: int32
                addressGroupNum:
                  type: integer
                  format: int32
                appliedToGroupNum:
                  type: integer
                  format: int32
            apiPort:
              type: integer
              minimum: 1
              maximum: 65535
            connectedAgentNum:
              type: integer
              format: int32
            podRef:
              type: object
              properties:
                kind:
                  type: string
                namespace:
                  type: string
                name:
                  type: string
                uid:
                  type: string
                apiVersion:
                  type: string
                resourceVersion:
                  type: string
                fieldPath:
                  type: string
            nodeRef:
              type: object
              properties:
                kind:
                  type: string
                namespace:
                  type: string
                name:
                  type: string
                uid:
                  type: string
                apiVersion:
                  type: string
                resourceVersion:
                  type: string
                fieldPath:
                  type: string
      additionalPrinterColumns:
        - description: Health status of the Controller
          jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status"
          name: Healthy
          type: string
        - description: Last time the Healthy Condition was updated
          jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime"
          name: Last Heartbeat
          type: date
        - description: Version of the Controller
          jsonPath: ".version"
          name: Version
          type: string
          priority: 1
        - description: Number of Agents connected to the Controller
          jsonPath: ".connectedAgentNum"
          name: Connected Agents
          type: integer
          priority: 1
        - description: Node on which the Controller is running
          jsonPath: ".nodeRef.name"
          name: Node
          type: string
          priority: 1
        - description: Number of Network Policies computed by Controller
          jsonPath: ".networkPolicyControllerInfo.networkPolicyNum"
          name: Num Network Policies
          type: integer
          priority: 2
  scope: Cluster
  names:
    plural: antreacontrollerinfos
    singular: antreacontrollerinfo
    kind: AntreaControllerInfo
    shortNames:
      - aci

---
# Source: antrea/crds/bgppolicy.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: bgppolicies.crd.antrea.io
spec:
  group: crd.antrea.io
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          required:
            - spec
          properties:
            spec:
              type: object
              required:
                - nodeSelector
                - localASN
              properties:
                nodeSelector:
                  type: object
                  properties:
                    matchExpressions:
                      items:
                        properties:
                          key:
                            type: string
                          operator:
                            enum:
                              - In
                              - NotIn
                              - Exists
                              - DoesNotExist
                            type: string
                          values:
                            items:
                              type: string
                              pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                            type: array
                        type: object
                      type: array
                    matchLabels:
                      x-kubernetes-preserve-unknown-fields: true
                localASN:
                  type: integer
                  format: int32
                  minimum: 1
                  maximum: 65535
                listenPort:
                  type: integer
                  format: int32
                  minimum: 1
                  maximum: 65535
                  default: 179
                confederation:
                  type: object
                  properties:
                    identifier:
                      type: integer
                      format: int32
                      minimum: 1
                      maximum: 65535
                    memberASNs:
                      type: array
                      items:
                        type: integer
                        format: int32
                        minimum: 1
                        maximum: 65535
                advertisements:
                  type: object
                  properties:
                    service:
                      type: object
                      properties:
                        ipTypes:
                          type: array
                          items:
                            type: string
                            enum:
                              - ClusterIP
                              - LoadBalancerIP
                              - ExternalIP
                    pod:
                      type: object
                      properties: {}
                    egress:
                      type: object
                      properties: {}
                bgpPeers:
                  type: array
                  items:
                    type: object
                    required:
                      - address
                      - asn
                    properties:
                      address:
                        type: string
                        oneOf:
                          - format: ipv4
                          - format: ipv6
                      port:
                        type: integer
                        format: int32
                        minimum: 1
                        maximum: 65535
                        default: 179
                      asn:
                        type: integer
                        format: int32
                        minimum: 1
                        maximum: 65535
                      multihopTTL:
                        type: integer
                        format: int32
                        minimum: 1
                        maximum: 255
                        default: 1
                      gracefulRestartTimeSeconds:
                        type: integer
                        format: int32
                        minimum: 1
                        maximum: 3600
                        default: 120
      additionalPrinterColumns:
        - description: Local BGP AS number
          jsonPath: .spec.localASN
          name: Local ASN
          type: integer
        - jsonPath: .metadata.creationTimestamp
          name: Age
          type: date
  scope: Cluster
  names:
    plural: bgppolicies
    singular: bgppolicy
    kind: BGPPolicy

---
# Source: antrea/crds/clustergroup.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: clustergroups.crd.antrea.io
  labels:
    app: antrea
spec:
  group: crd.antrea.io
  versions:
    - name: v1beta1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              properties:
                childGroups:
                  type: array
                  items:
                    type: string
                podSelector:
                  type: object
                  properties:
                    matchExpressions:
                      type: array
                      items:
                        type: object
                        properties:
                          key:
                            type: string
                          operator:
                            enum:
                              - In
                              - NotIn
                              - Exists
                              - DoesNotExist
                            type: string
                          values:
                            type: array
                            items:
                              type: string
                              pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                    matchLabels:
                      additionalProperties:
                        type: string
                        pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                      type: object
                namespaceSelector:
                  type: object
                  properties:
                    matchExpressions:
                      type: array
                      items:
                        type: object
                        properties:
                          key:
                            type: string
                          operator:
                            enum:
                              - In
                              - NotIn
                              - Exists
                              - DoesNotExist
                            type: string
                          values:
                            type: array
                            items:
                              type: string
                              pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                    matchLabels:
                      additionalProperties:
                        type: string
                        pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                      type: object
                externalEntitySelector:
                  type: object
                  properties:
                    matchExpressions:
                      type: array
                      items:
                        type: object
                        properties:
                          key:
                            type: string
                          operator:
                            enum:
                              - In
                              - NotIn
                              - Exists
                              - DoesNotExist
                            type: string
                          values:
                            type: array
                            items:
                              type: string
                              pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                    matchLabels:
                      additionalProperties:
                        type: string
                        pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                      type: object
                ipBlocks:
                  type: array
                  items:
                    type: object
                    properties:
                      cidr:
                        type: string
                        format: cidr
                      except:
                        type: array
                        items:
                          type: string
                          format: cidr
                serviceReference:
                  type: object
                  properties:
                    name:
                      type: string
                    namespace:
                      type: string
            status:
              type: object
              properties:
                conditions:
                  type: array
                  items:
                    type: object
                    properties:
                      type:
                        type: string
                      status:
                        type: string
                      lastTransitionTime:
                        type: string
      subresources:
        status: { }
  scope: Cluster
  names:
    plural: clustergroups
    singular: clustergroup
    kind: ClusterGroup
    shortNames:
      - cg

---
# Source: antrea/crds/clusternetworkpolicy.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: clusternetworkpolicies.crd.antrea.io
  labels:
    app: antrea
spec:
  group: crd.antrea.io
  versions:
    - name: v1beta1
      served: true
      storage: true
      additionalPrinterColumns:
        - name: Tier
          type: string
          description: The Tier to which this ClusterNetworkPolicy belongs to.
          jsonPath: .spec.tier
        - name: Priority
          type: number
          format: float
          description: The Priority of this ClusterNetworkPolicy relative to other policies.
          jsonPath: .spec.priority
        - name: Desired Nodes
          type: number
          format: int32
          description: The total number of Nodes that should realize the NetworkPolicy.
          jsonPath: .status.desiredNodesRealized
        - name: Current Nodes
          type: number
          format: int32
          description: The number of Nodes that have realized the NetworkPolicy.
          jsonPath: .status.currentNodesRealized
        - name: Age
          type: date
          jsonPath: .metadata.creationTimestamp
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              # Ensure that Spec.Priority field is set
              required:
                - priority
              type: object
              properties:
                tier:
                  type: string
                priority:
                  type: number
                  format: float
                  # Ensure that Spec.Priority field is between 1 and 10000
                  minimum: 1.0
                  maximum: 10000.0
                appliedTo:
                  type: array
                  items:
                    type: object
                    # Ensure that Spec.AppliedTo does not allow IPBlock field
                    properties:
                      podSelector:
                        type: object
                        properties:
                          matchExpressions:
                            type: array
                            items:
                              type: object
                              properties:
                                key:
                                  type: string
                                operator:
                                  enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                  type: string
                                values:
                                  type: array
                                  items:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                          matchLabels:
                            additionalProperties:
                              type: string
                              pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                            type: object
                      namespaceSelector:
                        type: object
                        properties:
                          matchExpressions:
                            type: array
                            items:
                              type: object
                              properties:
                                key:
                                  type: string
                                operator:
                                  enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                  type: string
                                values:
                                  type: array
                                  items:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                          matchLabels:
                            additionalProperties:
                              type: string
                              pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                            type: object
                      group:
                        type: string
                      serviceAccount:
                        type: object
                        properties:
                          name:
                            type: string
                          namespace:
                            type: string
                        required:
                          - name
                          - namespace
                      service:
                        type: object
                        properties:
                          name:
                            type: string
                          namespace:
                            type: string
                        required:
                          - name
                          - namespace
                      nodeSelector:
                        type: object
                        properties:
                          matchExpressions:
                            type: array
                            items:
                              type: object
                              properties:
                                key:
                                  type: string
                                operator:
                                  enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                  type: string
                                values:
                                  type: array
                                  items:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                          matchLabels:
                            additionalProperties:
                              type: string
                              pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                            type: object
                ingress:
                  type: array
                  items:
                    type: object
                    required:
                      - action
                    properties:
                      appliedTo:
                        type: array
                        items:
                          type: object
                          # Ensure that rule AppliedTo does not allow IPBlock field
                          properties:
                            podSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            namespaceSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            group:
                              type: string
                            serviceAccount:
                              type: object
                              properties:
                                name:
                                  type: string
                                namespace:
                                  type: string
                              required:
                                - name
                                - namespace
                            service:
                              type: object
                              properties:
                                name:
                                  type: string
                                namespace:
                                  type: string
                              required:
                                - name
                                - namespace
                      # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
                      action:
                        type: string
                        enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ]
                      ports:
                        type: array
                        items:
                          type: object
                          properties:
                            protocol:
                              type: string
                              enum: [ 'TCP', 'UDP', 'SCTP' ]
                            port:
                              x-kubernetes-int-or-string: true
                            endPort:
                              type: integer
                            sourcePort:
                              type: integer
                            sourceEndPort:
                              type: integer
                      protocols:
                        type: array
                        items:
                          type: object
                          oneOf:
                            - required: [ icmp ]
                            - required: [ igmp ]
                          properties:
                            icmp:
                              type: object
                              properties:
                                icmpType:
                                  type: integer
                                  minimum: 0
                                  maximum: 255
                                icmpCode:
                                  type: integer
                                  minimum: 0
                                  maximum: 255
                            igmp:
                              type: object
                              properties:
                                igmpType:
                                  type: integer
                                  # Only IGMP query (0x11) is valid igmpType in ingress rules.
                                  enum: [ 0x11 ]
                                groupAddress:
                                  type: string
                                  oneOf:
                                    - format: ipv4
                                    - format: ipv6
                      l7Protocols:
                        type: array
                        items:
                          type: object
                          oneOf:
                            - required: [ http ]
                            - required: [ tls ]
                          properties:
                            http:
                              type: object
                              properties:
                                host:
                                  type: string
                                method:
                                  type: string
                                  enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ]
                                path:
                                  type: string
                            tls:
                              type: object
                              properties:
                                sni:
                                  type: string
                      from:
                        type: array
                        items:
                          type: object
                          properties:
                            podSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            namespaceSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            namespaces:
                              type: object
                              maxProperties: 1
                              minProperties: 1
                              properties:
                                match:
                                  type: string
                                  enum:
                                    - Self
                                sameLabels:
                                  type: array
                                  items:
                                    type: string
                            ipBlock:
                              type: object
                              properties:
                                cidr:
                                  type: string
                                  format: cidr
                                except:
                                  type: array
                                  items:
                                    type: string
                                    format: cidr
                            group:
                              type: string
                            serviceAccount:
                              type: object
                              properties:
                                name:
                                  type: string
                                namespace:
                                  type: string
                              required:
                                - name
                                - namespace
                            nodeSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  items:
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                        type: array
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            scope:
                              type: string
                              enum: [ 'Cluster', 'ClusterSet' ]
                      name:
                        type: string
                      enableLogging:
                        type: boolean
                      logLabel:
                        type: string
                        pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$"
                egress:
                  type: array
                  items:
                    type: object
                    required:
                      - action
                    properties:
                      appliedTo:
                        type: array
                        items:
                          type: object
                          # Ensure that rule AppliedTo does not allow IPBlock field
                          properties:
                            podSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            namespaceSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            group:
                              type: string
                            serviceAccount:
                              type: object
                              properties:
                                name:
                                  type: string
                                namespace:
                                  type: string
                              required:
                                - name
                                - namespace
                      # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
                      action:
                        type: string
                        enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ]
                      ports:
                        type: array
                        items:
                          type: object
                          properties:
                            protocol:
                              type: string
                              enum: [ 'TCP', 'UDP', 'SCTP' ]
                            port:
                              x-kubernetes-int-or-string: true
                            endPort:
                              type: integer
                            sourcePort:
                              type: integer
                            sourceEndPort:
                              type: integer
                      protocols:
                        type: array
                        items:
                          type: object
                          oneOf:
                            - required: [ icmp ]
                            - required: [ igmp ]
                          properties:
                            icmp:
                              type: object
                              properties:
                                icmpType:
                                  type: integer
                                  minimum: 0
                                  maximum: 255
                                icmpCode:
                                  type: integer
                                  minimum: 0
                                  maximum: 255
                            igmp:
                              type: object
                              properties:
                                igmpType:
                                  type: integer
                                  # Only IGMP reports are igmpType in egress rules,
                                  # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
                                  # It will match all IGMP report types if igmpType is not set.
                                  enum: [ 0x12, 0x16, 0x22 ]
                                groupAddress:
                                  type: string
                                  oneOf:
                                    - format: ipv4
                                    - format: ipv6
                      l7Protocols:
                        type: array
                        items:
                          type: object
                          oneOf:
                            - required: [ http ]
                            - required: [ tls ]
                          properties:
                            http:
                              type: object
                              properties:
                                host:
                                  type: string
                                method:
                                  type: string
                                  enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ]
                                path:
                                  type: string
                            tls:
                              type: object
                              properties:
                                sni:
                                  type: string
                      to:
                        type: array
                        items:
                          type: object
                          properties:
                            podSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            namespaceSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            namespaces:
                              type: object
                              maxProperties: 1
                              minProperties: 1
                              properties:
                                match:
                                  type: string
                                  enum:
                                    - Self
                                sameLabels:
                                  type: array
                                  items:
                                    type: string
                            ipBlock:
                              type: object
                              properties:
                                cidr:
                                  type: string
                                  format: cidr
                                except:
                                  type: array
                                  items:
                                    type: string
                                    format: cidr
                            group:
                              type: string
                            fqdn:
                              type: string
                            serviceAccount:
                              type: object
                              properties:
                                name:
                                  type: string
                                namespace:
                                  type: string
                              required:
                                - name
                                - namespace
                            nodeSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  items:
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                        type: array
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                      toServices:
                        type: array
                        items:
                          type: object
                          required:
                            - name
                            - namespace
                          properties:
                            name:
                              type: string
                            namespace:
                              type: string
                            scope:
                              type: string
                              enum: [ 'Cluster', 'ClusterSet' ]
                      name:
                        type: string
                      enableLogging:
                        type: boolean
                      logLabel:
                        type: string
                        pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$"
            status:
              type: object
              properties:
                phase:
                  type: string
                observedGeneration:
                  type: integer
                currentNodesRealized:
                  type: integer
                desiredNodesRealized:
                  type: integer
                conditions:
                  type: array
                  items:
                    type: object
                    properties:
                      type:
                        type: string
                      status:
                        type: string
                      lastTransitionTime:
                        type: string
                      reason:
                        type: string
                      message:
                        type: string
      subresources:
        status: { }
  scope: Cluster
  names:
    plural: clusternetworkpolicies
    singular: clusternetworkpolicy
    kind: ClusterNetworkPolicy
    shortNames:
      - acnp

---
# Source: antrea/crds/egress.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: egresses.crd.antrea.io
  labels:
    app: antrea
spec:
  group: crd.antrea.io
  versions:
    - name: v1beta1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          required:
          - spec
          properties:
            spec:
              type: object
              required:
              - appliedTo
              oneOf:
              - anyOf:
                - required:
                  - egressIP
                - required:
                  - externalIPPool
              - anyOf:
                - required:
                  - egressIPs
                - required:
                  - externalIPPools
              properties:
                appliedTo:
                  type: object
                  properties:
                    podSelector:
                      type: object
                      properties:
                        matchExpressions:
                          type: array
                          items:
                            type: object
                            properties:
                              key:
                                type: string
                              operator:
                                enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                type: string
                              values:
                                type: array
                                items:
                                  type: string
                                  pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                        matchLabels:
                          type: object
                          additionalProperties:
                            type: string
                            pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                    namespaceSelector:
                      type: object
                      properties:
                        matchExpressions:
                          type: array
                          items:
                            type: object
                            properties:
                              key:
                                type: string
                              operator:
                                enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                type: string
                              values:
                                type: array
                                items:
                                  type: string
                                  pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                        matchLabels:
                          type: object
                          additionalProperties:
                            type: string
                            pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                egressIP:
                  type: string
                  oneOf:
                  - format: ipv4
                  - format: ipv6
                egressIPs:
                  type: array
                  items:
                    type: string
                    oneOf:
                    - maxLength: 0
                    - format: ipv4
                    - format: ipv6
                externalIPPool:
                  type: string
                externalIPPools:
                  type: array
                  items:
                    type: string
                bandwidth:
                  type: object
                  required:
                    - rate
                    - burst
                  properties:
                    rate:
                      type: string
                    burst:
                      type: string
            status:
              type: object
              properties:
                egressNode:
                  type: string
                egressIP:
                  type: string
                conditions:
                  type: array
                  items:
                    type: object
                    properties:
                      type:
                        type: string
                      status:
                        type: string
                      lastTransitionTime:
                        type: string
                      reason:
                        type: string
                      message:
                        type: string
      additionalPrinterColumns:
      - description: The effective SNAT IP address for the selected workloads.
        jsonPath: .status.egressIP
        name: EgressIP
        type: string
      - jsonPath: .metadata.creationTimestamp
        name: Age
        type: date
      - description: The Owner Node of egress IP
        jsonPath: .status.egressNode
        name: Node
        type: string
      subresources:
        status: {}
  scope: Cluster
  names:
    plural: egresses
    singular: egress
    kind: Egress
    shortNames:
      - eg

---
# Source: antrea/crds/externalentity.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: externalentities.crd.antrea.io
  labels:
    app: antrea
spec:
  group: crd.antrea.io
  versions:
    - name: v1alpha2
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              properties:
                endpoints:
                  type: array
                  items:
                    type: object
                    properties:
                      ip:
                        type: string
                        oneOf:
                          - format: ipv4
                          - format: ipv6
                      name:
                        type: string
                ports:
                  type: array
                  items:
                    type: object
                    properties:
                      protocol:
                        type: string
                        enum: ['TCP', 'UDP', 'SCTP']
                      port:
                        x-kubernetes-int-or-string: true
                      name:
                        type: string
                externalNode:
                  type: string
  scope: Namespaced
  names:
    plural: externalentities
    singular: externalentity
    kind: ExternalEntity
    shortNames:
      - ee

---
# Source: antrea/crds/externalippool.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: externalippools.crd.antrea.io
  labels:
    app: antrea
spec:
  group: crd.antrea.io
  versions:
    - name: v1beta1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          required:
            - spec
          properties:
            spec:
              type: object
              required:
                - ipRanges
                - nodeSelector
              properties:
                ipRanges:
                  type: array
                  items:
                    type: object
                    oneOf:
                      - required:
                          - cidr
                      - required:
                          - start
                          - end
                    properties:
                      cidr:
                        type: string
                        format: cidr
                      start:
                        type: string
                        oneOf:
                          - format: ipv4
                          - format: ipv6
                      end:
                        type: string
                        oneOf:
                          - format: ipv4
                          - format: ipv6
                subnetInfo:
                  type: object
                  required:
                    - gateway
                    - prefixLength
                  properties:
                    gateway:
                      type: string
                      oneOf:
                        - format: ipv4
                        - format: ipv6
                    prefixLength:
                      type: integer
                      minimum: 1
                      maximum: 127
                    vlan:
                      type: integer
                      minimum: 0
                      maximum: 4094
                nodeSelector:
                  type: object
                  properties:
                    matchExpressions:
                      items:
                        properties:
                          key:
                            type: string
                          operator:
                            enum:
                              - In
                              - NotIn
                              - Exists
                              - DoesNotExist
                            type: string
                          values:
                            items:
                              type: string
                              pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                            type: array
                        type: object
                      type: array
                    matchLabels:
                      additionalProperties:
                        type: string
                        pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                      type: object
            status:
              type: object
              properties:
                usage:
                  type: object
                  properties:
                    total:
                      type: integer
                    used:
                      type: integer
      additionalPrinterColumns:
        - description: The number of total IPs
          jsonPath: .status.usage.total
          name: Total
          type: integer
        - description: The number of allocated IPs
          jsonPath: .status.usage.used
          name: Used
          type: integer
        - jsonPath: .metadata.creationTimestamp
          name: Age
          type: date
      subresources:
        status: { }
  scope: Cluster
  names:
    plural: externalippools
    singular: externalippool
    kind: ExternalIPPool
    shortNames:
      - eip

---
# Source: antrea/crds/externalnode.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  labels:
    app: antrea
  name: externalnodes.crd.antrea.io
spec:
  group: crd.antrea.io
  versions:
    - name: v1alpha1
      schema:
        openAPIV3Schema:
          type: object
          required:
            - spec
          properties:
            spec:
              type: object
              required:
                - interfaces
              properties:
                interfaces:
                  type: array
                  minItems: 1
                  maxItems: 1
                  required:
                    - ips
                  items:
                    type: object
                    properties:
                      ips:
                        type: array
                        minItems: 1
                        items:
                          type: string
                          oneOf:
                            - format: ipv4
                            - format: ipv6
                      name:
                        type: string
      served: true
      storage: true
  scope: Namespaced
  names:
    plural: externalnodes
    singular: externalnode
    kind: ExternalNode
    shortNames:
      - en

---
# Source: antrea/crds/group.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: groups.crd.antrea.io
spec:
  group: crd.antrea.io
  versions:
    - name: v1beta1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              properties:
                childGroups:
                  type: array
                  items:
                    type: string
                podSelector:
                  type: object
                  properties:
                    matchExpressions:
                      type: array
                      items:
                        type: object
                        properties:
                          key:
                            type: string
                          operator:
                            enum:
                              - In
                              - NotIn
                              - Exists
                              - DoesNotExist
                            type: string
                          values:
                            type: array
                            items:
                              type: string
                    matchLabels:
                      x-kubernetes-preserve-unknown-fields: true
                namespaceSelector:
                  type: object
                  properties:
                    matchExpressions:
                      type: array
                      items:
                        type: object
                        properties:
                          key:
                            type: string
                          operator:
                            enum:
                              - In
                              - NotIn
                              - Exists
                              - DoesNotExist
                            type: string
                          values:
                            type: array
                            items:
                              type: string
                    matchLabels:
                      x-kubernetes-preserve-unknown-fields: true
                externalEntitySelector:
                  type: object
                  properties:
                    matchExpressions:
                      type: array
                      items:
                        type: object
                        properties:
                          key:
                            type: string
                          operator:
                            enum:
                              - In
                              - NotIn
                              - Exists
                              - DoesNotExist
                            type: string
                          values:
                            type: array
                            items:
                              type: string
                    matchLabels:
                      x-kubernetes-preserve-unknown-fields: true
                ipBlocks:
                  type: array
                  items:
                    type: object
                    properties:
                      cidr:
                        type: string
                        format: cidr
                      except:
                        type: array
                        items:
                          type: string
                          format: cidr
                serviceReference:
                  type: object
                  properties:
                    name:
                      type: string
                    namespace:
                      type: string
            status:
              type: object
              properties:
                conditions:
                  type: array
                  items:
                    type: object
                    properties:
                      type:
                        type: string
                      status:
                        type: string
                      lastTransitionTime:
                        type: string
      subresources:
        status: { }
  scope: Namespaced
  names:
    plural: groups
    singular: group
    kind: Group
    shortNames:
      - grp

---
# Source: antrea/crds/ippool.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: ippools.crd.antrea.io
  labels:
    app: antrea
    served-by: antrea-controller
spec:
  group: crd.antrea.io
  versions:
    - name: v1alpha2
      served: true
      storage: false
      deprecated: true
      deprecationWarning: "crd.antrea.io/v1alpha2 IPPool is deprecated; use crd.antrea.io/v1beta1 IPPool"
      schema:
        openAPIV3Schema:
          type: object
          required:
            - spec
          properties:
            spec:
              required:
                - ipVersion
                - ipRanges
              type: object
              properties:
                ipVersion:
                  type: integer
                  enum: [ 4, 6 ]
                ipRanges:
                  items:
                    oneOf:
                      - required:
                        - cidr
                        - gateway
                        - prefixLength
                      - required:
                        - start
                        - end
                        - gateway
                        - prefixLength
                    properties:
                      cidr:
                        format: cidr
                        type: string
                      start:
                        oneOf:
                          - format: ipv4
                          - format: ipv6
                        type: string
                      end:
                        oneOf:
                          - format: ipv4
                          - format: ipv6
                        type: string
                      gateway:
                        oneOf:
                          - format: ipv4
                          - format: ipv6
                        type: string
                      prefixLength:
                        type: integer
                        minimum: 1
                        maximum: 128
                      vlan:
                        type: integer
                        minimum: 0
                        maximum: 4094
                    type: object
                  type: array
            status:
              properties:
                ipAddresses:
                  items:
                    properties:
                      ipAddress:
                        type: string
                      owner:
                        properties:
                          pod:
                            properties:
                              name:
                                type: string
                              namespace:
                                type: string
                              containerID:
                                type: string
                              ifName:
                                type: string
                            type: object
                          statefulSet:
                            properties:
                              name:
                                type: string
                              namespace:
                                type: string
                              index:
                                type: integer
                            type: object
                        type: object
                      phase:
                        type: string
                    type: object
                  type: array
                usage:
                  properties:
                    used:
                      type: integer
                    total:
                      type: integer
                  type: object
              type: object
      additionalPrinterColumns:
        - description: The number of total IPs
          jsonPath: .status.usage.total
          name: Total
          type: integer
        - description: The number of allocated IPs
          jsonPath: .status.usage.used
          name: Used
          type: integer
        - jsonPath: .metadata.creationTimestamp
          name: Age
          type: date
      subresources:
        status: {}
    - name: v1beta1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          required:
            - spec
          properties:
            spec:
              required:
                - ipRanges
                - subnetInfo
              type: object
              properties:
                ipRanges:
                  items:
                    oneOf:
                      - required:
                          - cidr
                      - required:
                          - start
                          - end
                    properties:
                      cidr:
                        format: cidr
                        type: string
                      start:
                        oneOf:
                          - format: ipv4
                          - format: ipv6
                        type: string
                      end:
                        oneOf:
                          - format: ipv4
                          - format: ipv6
                        type: string
                    type: object
                  type: array
                subnetInfo:
                  type: object
                  required:
                    - gateway
                    - prefixLength
                  properties:
                    gateway:
                      type: string
                      oneOf:
                        - format: ipv4
                        - format: ipv6
                    prefixLength:
                      type: integer
                      minimum: 1
                      maximum: 127
                    vlan:
                      type: integer
                      minimum: 0
                      maximum: 4094
            status:
              properties:
                ipAddresses:
                  items:
                    properties:
                      ipAddress:
                        type: string
                      owner:
                        properties:
                          pod:
                            properties:
                              name:
                                type: string
                              namespace:
                                type: string
                              containerID:
                                type: string
                              ifName:
                                type: string
                            type: object
                          statefulSet:
                            properties:
                              name:
                                type: string
                              namespace:
                                type: string
                              index:
                                type: integer
                            type: object
                        type: object
                      phase:
                        type: string
                    type: object
                  type: array
                usage:
                  properties:
                    used:
                      type: integer
                    total:
                      type: integer
                  type: object
              type: object
      additionalPrinterColumns:
        - description: The number of total IPs
          jsonPath: .status.usage.total
          name: Total
          type: integer
        - description: The number of allocated IPs
          jsonPath: .status.usage.used
          name: Used
          type: integer
        - jsonPath: .metadata.creationTimestamp
          name: Age
          type: date
      subresources:
        status: {}
  conversion:
    strategy: Webhook
    webhook:
      conversionReviewVersions: ["v1", "v1beta1"]
      clientConfig:
        service:
          name: "antrea"
          namespace: "kube-system"
          path: "/convert/ippool"
  scope: Cluster
  names:
    plural: ippools
    singular: ippool
    kind: IPPool
    shortNames:
      - ipp

---
# Source: antrea/crds/networkpolicy.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: networkpolicies.crd.antrea.io
  labels:
    app: antrea
spec:
  group: crd.antrea.io
  versions:
    - name: v1beta1
      served: true
      storage: true
      additionalPrinterColumns:
        - name: Tier
          type: string
          description: The Tier to which this Antrea NetworkPolicy belongs to.
          jsonPath: .spec.tier
        - name: Priority
          type: number
          format: float
          description: The Priority of this Antrea NetworkPolicy relative to other policies.
          jsonPath: .spec.priority
        - name: Desired Nodes
          type: number
          format: int32
          description: The total number of Nodes that should realize the NetworkPolicy.
          jsonPath: .status.desiredNodesRealized
        - name: Current Nodes
          type: number
          format: int32
          description: The number of Nodes that have realized the NetworkPolicy.
          jsonPath: .status.currentNodesRealized
        - name: Age
          type: date
          jsonPath: .metadata.creationTimestamp
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              # Ensure that Spec.Priority field is set
              required:
                - priority
              type: object
              properties:
                tier:
                  type: string
                priority:
                  type: number
                  format: float
                  # Ensure that Spec.Priority field is between 1 and 10000
                  minimum: 1.0
                  maximum: 10000.0
                appliedTo:
                  type: array
                  items:
                    type: object
                    # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field
                    properties:
                      externalEntitySelector:
                        type: object
                        properties:
                          matchExpressions:
                            type: array
                            items:
                              type: object
                              properties:
                                key:
                                  type: string
                                operator:
                                  enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                  type: string
                                values:
                                  type: array
                                  items:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                          matchLabels:
                            additionalProperties:
                              type: string
                              pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                            type: object
                      podSelector:
                        type: object
                        properties:
                          matchExpressions:
                            type: array
                            items:
                              type: object
                              properties:
                                key:
                                  type: string
                                operator:
                                  enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                  type: string
                                values:
                                  type: array
                                  items:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                          matchLabels:
                            additionalProperties:
                              type: string
                              pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                            type: object
                      group:
                        type: string
                ingress:
                  type: array
                  items:
                    type: object
                    required:
                      - action
                    properties:
                      appliedTo:
                        type: array
                        items:
                          type: object
                          # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
                          properties:
                            podSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            group:
                              type: string
                      # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
                      action:
                        type: string
                        enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ]
                      ports:
                        type: array
                        items:
                          type: object
                          properties:
                            protocol:
                              type: string
                              enum: [ 'TCP', 'UDP', 'SCTP' ]
                            port:
                              x-kubernetes-int-or-string: true
                            endPort:
                              type: integer
                            sourcePort:
                              type: integer
                            sourceEndPort:
                              type: integer
                      protocols:
                        type: array
                        items:
                          type: object
                          oneOf:
                            - required: [ icmp ]
                            - required: [ igmp ]
                          properties:
                            icmp:
                              type: object
                              properties:
                                icmpType:
                                  type: integer
                                  minimum: 0
                                  maximum: 255
                                icmpCode:
                                  type: integer
                                  minimum: 0
                                  maximum: 255
                            igmp:
                              type: object
                              properties:
                                igmpType:
                                  type: integer
                                  # Only IGMP query (0x11) is valid igmpType in ingress rules.
                                  enum: [ 0x11 ]
                                groupAddress:
                                  type: string
                                  oneOf:
                                    - format: ipv4
                                    - format: ipv6
                      l7Protocols:
                        type: array
                        items:
                          type: object
                          oneOf:
                            - required: [ http ]
                            - required: [ tls ]
                          properties:
                            http:
                              type: object
                              properties:
                                host:
                                  type: string
                                method:
                                  type: string
                                  enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ]
                                path:
                                  type: string
                            tls:
                              type: object
                              properties:
                                sni:
                                  type: string
                      from:
                        type: array
                        items:
                          type: object
                          properties:
                            podSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            namespaceSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            externalEntitySelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            ipBlock:
                              type: object
                              properties:
                                cidr:
                                  type: string
                                  format: cidr
                                except:
                                  type: array
                                  items:
                                    type: string
                                    format: cidr
                            nodeSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  items:
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                        type: array
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            group:
                              type: string
                            scope:
                              type: string
                              enum: [ 'Cluster', 'ClusterSet' ]
                      name:
                        type: string
                      enableLogging:
                        type: boolean
                      logLabel:
                        type: string
                        pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$"
                egress:
                  type: array
                  items:
                    type: object
                    required:
                      - action
                    properties:
                      appliedTo:
                        type: array
                        items:
                          type: object
                          # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field
                          properties:
                            podSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            group:
                              type: string
                      # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
                      action:
                        type: string
                        enum: [ 'Allow', 'Drop', 'Reject', 'Pass' ]
                      ports:
                        type: array
                        items:
                          type: object
                          properties:
                            protocol:
                              type: string
                              enum: [ 'TCP', 'UDP', 'SCTP' ]
                            port:
                              x-kubernetes-int-or-string: true
                            endPort:
                              type: integer
                            sourcePort:
                              type: integer
                            sourceEndPort:
                              type: integer
                      protocols:
                        type: array
                        items:
                          type: object
                          oneOf:
                            - required: [ icmp ]
                            - required: [ igmp ]
                          properties:
                            icmp:
                              type: object
                              properties:
                                icmpType:
                                  type: integer
                                  minimum: 0
                                  maximum: 255
                                icmpCode:
                                  type: integer
                                  minimum: 0
                                  maximum: 255
                            igmp:
                              type: object
                              properties:
                                igmpType:
                                  type: integer
                                  # Only IGMP reports are igmpType in egress rules,
                                  # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
                                  # It will match all IGMP report types if igmpType is not set.
                                  enum: [ 0x12, 0x16, 0x22 ]
                                groupAddress:
                                  type: string
                                  oneOf:
                                    - format: ipv4
                                    - format: ipv6
                      l7Protocols:
                        type: array
                        items:
                          type: object
                          oneOf:
                            - required: [ http ]
                            - required: [ tls ]
                          properties:
                            http:
                              type: object
                              properties:
                                host:
                                  type: string
                                method:
                                  type: string
                                  enum: [ 'GET', 'POST', 'PUT', 'HEAD', 'DELETE', 'TRACE', 'OPTIONS', 'CONNECT', 'PATCH' ]
                                path:
                                  type: string
                            tls:
                              type: object
                              properties:
                                sni:
                                  type: string
                      to:
                        type: array
                        items:
                          type: object
                          properties:
                            podSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            namespaceSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            externalEntitySelector:
                              type: object
                              properties:
                                matchExpressions:
                                  type: array
                                  items:
                                    type: object
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        type: array
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            ipBlock:
                              type: object
                              properties:
                                cidr:
                                  type: string
                                  format: cidr
                                except:
                                  type: array
                                  items:
                                    type: string
                                    format: cidr
                            fqdn:
                              type: string
                            nodeSelector:
                              type: object
                              properties:
                                matchExpressions:
                                  items:
                                    properties:
                                      key:
                                        type: string
                                      operator:
                                        enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                        type: string
                                      values:
                                        items:
                                          type: string
                                          pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                        type: array
                                    type: object
                                  type: array
                                matchLabels:
                                  additionalProperties:
                                    type: string
                                    pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                  type: object
                            group:
                              type: string
                      toServices:
                        type: array
                        items:
                          type: object
                          required:
                            - name
                          properties:
                            name:
                              type: string
                            namespace:
                              type: string
                            scope:
                              type: string
                      name:
                        type: string
                      enableLogging:
                        type: boolean
                      logLabel:
                        type: string
                        pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9])?$"
            status:
              type: object
              properties:
                phase:
                  type: string
                observedGeneration:
                  type: integer
                currentNodesRealized:
                  type: integer
                desiredNodesRealized:
                  type: integer
                conditions:
                  type: array
                  items:
                    type: object
                    properties:
                      type:
                        type: string
                      status:
                        type: string
                      lastTransitionTime:
                        type: string
                      reason:
                        type: string
                      message:
                        type: string
      subresources:
        status: { }
  scope: Namespaced
  names:
    plural: networkpolicies
    singular: networkpolicy
    kind: NetworkPolicy
    shortNames:
      - annp
      # Deprecated shortName and shall be removed in Antrea v1.14.0
      - anp

---
# Source: antrea/crds/nodelatencymonitor.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: nodelatencymonitors.crd.antrea.io
spec:
  group: crd.antrea.io
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          required:
            - spec
          properties:
            spec:
              type: object
              required:
                - pingIntervalSeconds
              properties:
                pingIntervalSeconds:
                  type: integer
                  format: int32
                  minimum: 1
                  description: "Ping interval in seconds, must be at least 1."
                  default: 60
            metadata:
              type: object
              properties:
                name:
                  type: string
                  pattern: '^default$'
      additionalPrinterColumns:
        - description: Specifies the interval between pings.
          jsonPath: .spec.pingIntervalSeconds
          name: PingIntervalSeconds
          type: string
        - jsonPath: .metadata.creationTimestamp
          name: Age
          type: date
  scope: Cluster
  names:
    plural: nodelatencymonitors
    singular: nodelatencymonitor
    kind: NodeLatencyMonitor
    shortNames:
      - nlm

---
# Source: antrea/crds/packetcapture.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: packetcaptures.crd.antrea.io
  labels:
    app: antrea
spec:
  group: crd.antrea.io
  versions:
    - name: v1alpha1
      served: true
      storage: true
      additionalPrinterColumns:
        - jsonPath: .spec.source.pod
          description: The name of the source Pod.
          name: Source-Pod
          type: string
          priority: 10
        - jsonPath: .spec.destination.pod
          description: The name of the destination Pod.
          name: Destination-Pod
          type: string
          priority: 10
        - jsonPath: .spec.source.ip
          description: The IP address of the source.
          name: Source-IP
          type: string
          priority: 10
        - jsonPath: .spec.destination.ip
          description: The IP address of the destination.
          name: Destination-IP
          type: string
          priority: 10
        - jsonPath: .spec.timeout
          description: Timeout in seconds.
          name: Timeout
          type: integer
          priority: 10
        - jsonPath: .metadata.creationTimestamp
          name: Age
          type: date
        - jsonPath: .status.numberCaptured
          description: Number of packets captured so far.
          name: Captured-Packets
          type: integer
        - jsonPath: .status.conditions[?(@.type=="PacketCaptureStarted")].status
          description: Whether the capture has been started.
          name: Started
          type: string
        - jsonPath: .status.conditions[?(@.type=="PacketCaptureComplete")].status
          description: Whether the capture has completed.
          name: Complete
          type: string
        - jsonPath: .status.conditions[?(@.type=="PacketCaptureFileUploaded")].status
          description: Whether the capture file has been uploaded to the file server.
          name: Uploaded
          type: string
          priority: 10
      schema:
        openAPIV3Schema:
          type: object
          required:
            - spec
          properties:
            spec:
              type: object
              required:
                - source
                - captureConfig
                - destination
              anyOf:
                - properties:
                    source:
                      required: [pod]
                - properties:
                    destination:
                      required: [pod]
              properties:
                source:
                  type: object
                  oneOf:
                    - required:
                      - pod
                    - required:
                      - ip
                  properties:
                    pod:
                      type: object
                      required:
                        - name
                      properties:
                        namespace:
                          type: string
                          default: default
                        name:
                          type: string
                    ip:
                      type: string
                      format: ipv4
                destination:
                  type: object
                  oneOf:
                    - required:
                      - pod
                    - required:
                      - ip
                  properties:
                    pod:
                      type: object
                      required:
                        - name
                      properties:
                        namespace:
                          type: string
                          default: default
                        name:
                          type: string
                    ip:
                      type: string
                      format: ipv4
                packet:
                  type: object
                  properties:
                    ipFamily:
                      type: string
                      enum: [IPv4]
                      default: IPv4
                    protocol:
                      x-kubernetes-int-or-string: true
                    transportHeader:
                      type: object
                      properties:
                        udp:
                          type: object
                          properties:
                            srcPort:
                              type: integer
                              minimum: 1
                              maximum: 65535
                            dstPort:
                              type: integer
                              minimum: 1
                              maximum: 65535
                        tcp:
                          type: object
                          properties:
                            srcPort:
                              type: integer
                              minimum: 1
                              maximum: 65535
                            dstPort:
                              type: integer
                              minimum: 1
                              maximum: 65535

                timeout:
                  type: integer
                  minimum: 1
                  maximum: 300
                  default: 60
                captureConfig:
                  type: object
                  oneOf:
                    - required:
                      - firstN
                  properties:
                    firstN:
                      type: object
                      required:
                        - number
                      properties:
                        number:
                          type: integer
                          format: int32
                fileServer:
                  type: object
                  properties:
                    url:
                      type: string
                      pattern: 'sftp:\/\/[\w-_./]+:\d+'
                    hostPublicKey:
                      type: string
                      format: byte
            status:
              type: object
              properties:
                numberCaptured:
                  type: integer
                filePath:
                  type: string
                conditions:
                  type: array
                  items:
                    type: object
                    properties:
                      type:
                        type: string
                      status:
                        type: string
                      lastTransitionTime:
                        type: string
                      reason:
                        type: string
                      message:
                        type: string
      subresources:
        status: {}
  scope: Cluster
  names:
    plural: packetcaptures
    singular: packetcapture
    kind: PacketCapture
    shortNames:
      - pcap

---
# Source: antrea/crds/supportbundlecollection.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: supportbundlecollections.crd.antrea.io
spec:
  group: crd.antrea.io
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              required:
                - fileServer
                - authentication
              anyOf:
                - required:
                    - nodes
                - required:
                    - externalNodes
              properties:
                nodes:
                  type: object
                  properties:
                    nodeNames:
                      type: array
                      items:
                        type: string
                    nodeSelector:
                      type: object
                      properties:
                        matchExpressions:
                          items:
                            properties:
                              key:
                                type: string
                              operator:
                                enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                type: string
                              values:
                                items:
                                  type: string
                                  pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                type: array
                            type: object
                          type: array
                        matchLabels:
                          x-kubernetes-preserve-unknown-fields: true
                externalNodes:
                  type: object
                  required:
                    - namespace
                  properties:
                    namespace:
                      type: string
                    nodeNames:
                      type: array
                      items:
                        type: string
                    nodeSelector:
                      type: object
                      properties:
                        matchExpressions:
                          items:
                            properties:
                              key:
                                type: string
                              operator:
                                enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                type: string
                              values:
                                items:
                                  type: string
                                  pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                                type: array
                            type: object
                          type: array
                        matchLabels:
                          x-kubernetes-preserve-unknown-fields: true
                expirationMinutes:
                  type: integer
                  default: 60
                sinceTime:
                  type: string
                  format: duration
                fileServer:
                  type: object
                  properties:
                    url:
                      type: string
                    hostPublicKey:
                      type: string
                      format: byte
                authentication:
                  type: object
                  properties:
                    authType:
                      type: string
                      enum: ["BearerToken", "APIKey", "BasicAuthentication"]
                    authSecret:
                      type: object
                      properties:
                        name:
                          type: string
                        namespace:
                          type: string
            status:
              type: object
              properties:
                collectedNodes:
                  type: integer
                desiredNodes:
                  type: integer
                conditions:
                  type: array
                  items:
                    type: object
                    properties:
                      type:
                        type: string
                      status:
                        type: string
                      lastTransitionTime:
                        type: string
                      reason:
                        type: string
                      message:
                        type: string
      subresources:
        status: {}
  scope: Cluster
  names:
    plural: supportbundlecollections
    singular: supportbundlecollection
    kind: SupportBundleCollection
    shortNames:
      - sbc

---
# Source: antrea/crds/tier.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: tiers.crd.antrea.io
  labels:
    app: antrea
spec:
  group: crd.antrea.io
  versions:
    - name: v1beta1
      served: true
      storage: true
      additionalPrinterColumns:
        - name: Priority
          type: integer
          description: The Priority of this Tier relative to other Tiers.
          jsonPath: .spec.priority
        - name: Age
          type: date
          jsonPath: .metadata.creationTimestamp
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              required:
                - priority
              type: object
              properties:
                priority:
                  type: integer
                  minimum: 0
                  maximum: 255
                description:
                  type: string
  scope: Cluster
  names:
    plural: tiers
    singular: tier
    kind: Tier
    shortNames:
      - tr

---
# Source: antrea/crds/traceflow.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: traceflows.crd.antrea.io
  labels:
    app: antrea
spec:
  group: crd.antrea.io
  versions:
    - name: v1beta1
      served: true
      storage: true
      additionalPrinterColumns:
        - jsonPath: .status.phase
          description: The phase of the Traceflow.
          name: Phase
          type: string
        - jsonPath: .spec.source.pod
          description: The name of the source Pod.
          name: Source-Pod
          type: string
          priority: 10
        - jsonPath: .spec.destination.pod
          description: The name of the destination Pod.
          name: Destination-Pod
          type: string
          priority: 10
        - jsonPath: .spec.destination.ip
          description: The IP address of the destination.
          name: Destination-IP
          type: string
          priority: 10
        - jsonPath: .spec.liveTraffic
          description: Trace live traffic.
          name: Live-Traffic
          type: boolean
          priority: 10
        - jsonPath: .spec.droppedOnly
          description: Capture only the dropped packet.
          name: Dropped-Only
          type: boolean
          priority: 10
        - jsonPath: .spec.timeout
          description: Timeout in seconds.
          name: Timeout
          type: integer
          priority: 10
        - jsonPath: .metadata.creationTimestamp
          name: Age
          type: date
      schema:
        openAPIV3Schema:
          type: object
          required:
            - spec
          properties:
            spec:
              type: object
              properties:
                source:
                  type: object
                  properties:
                    pod:
                      type: string
                    namespace:
                      type: string
                    ip:
                      type: string
                      oneOf:
                        - format: ipv4
                        - format: ipv6
                destination:
                  type: object
                  properties:
                    pod:
                      type: string
                    service:
                      type: string
                    namespace:
                      type: string
                    ip:
                      type: string
                      oneOf:
                        - format: ipv4
                        - format: ipv6
                packet:
                  type: object
                  properties:
                    ipHeader:
                      type: object
                      properties:
                        protocol:
                          type: integer
                          minimum: 0
                          maximum: 255
                        ttl:
                          type: integer
                          minimum: 0
                          maximum: 255
                        flags:
                          type: integer
                          minimum: 0
                          maximum: 7
                    ipv6Header:
                      type: object
                      properties:
                        nextHeader:
                          type: integer
                          minimum: 0
                          maximum: 65535
                        hopLimit:
                          type: integer
                          minimum: 0
                          maximum: 65535
                    transportHeader:
                      type: object
                      properties:
                        icmp:
                          type: object
                          properties:
                            id:
                              type: integer
                              minimum: 0
                              maximum: 65535
                            sequence:
                              type: integer
                              minimum: 0
                              maximum: 65535
                        udp:
                          type: object
                          properties:
                            srcPort:
                              type: integer
                              minimum: 1
                              maximum: 65535
                            dstPort:
                              type: integer
                              minimum: 1
                              maximum: 65535
                        tcp:
                          type: object
                          properties:
                            srcPort:
                              type: integer
                              minimum: 1
                              maximum: 65535
                            dstPort:
                              type: integer
                              minimum: 1
                              maximum: 65535
                            flags:
                              type: integer
                              minimum: 0
                              maximum: 255
                liveTraffic:
                  type: boolean
                droppedOnly:
                  type: boolean
                timeout:
                  type: integer
                  minimum: 1
                  maximum: 300
            status:
              type: object
              properties:
                reason:
                  type: string
                dataplaneTag:
                  type: integer
                phase:
                  type: string
                startTime:
                  type: string
                results:
                  type: array
                  items:
                    type: object
                    properties:
                      node:
                        type: string
                      role:
                        type: string
                      timestamp:
                        type: integer
                      observations:
                        type: array
                        items:
                          type: object
                          properties:
                            component:
                              type: string
                            componentInfo:
                              type: string
                            action:
                              type: string
                            pod:
                              type: string
                            dstMAC:
                              type: string
                            networkPolicy:
                              type: string
                            networkPolicyRule:
                              type: string
                            ttl:
                              type: integer
                              minimum: 0
                              maximum: 255
                            translatedSrcIP:
                              type: string
                            translatedDstIP:
                              type: string
                            tunnelDstIP:
                              type: string
                            egressIP:
                              type: string
                            egress:
                              type: string
                            egressNode:
                              type: string
                            srcPodIP:
                              type: string
                capturedPacket:
                  properties:
                    srcIP:
                      type: string
                    dstIP:
                      type: string
                    length:
                      type: integer
                      minimum: 0
                      maximum: 65535
                    ipHeader:
                      properties:
                        flags:
                          type: integer
                          minimum: 0
                          maximum: 7
                        protocol:
                          type: integer
                          minimum: 0
                          maximum: 255
                        ttl:
                          type: integer
                          minimum: 0
                          maximum: 255
                      type: object
                    ipv6Header:
                      properties:
                        hopLimit:
                          type: integer
                          minimum: 0
                          maximum: 65535
                        nextHeader:
                          type: integer
                          minimum: 0
                          maximum: 65535
                      type: object
                    transportHeader:
                      properties:
                        tcp:
                          properties:
                            dstPort:
                              type: integer
                              minimum: 1
                              maximum: 65535
                            srcPort:
                              type: integer
                              minimum: 1
                              maximum: 65535
                            flags:
                              type: integer
                              minimum: 0
                              maximum: 255
                          type: object
                        udp:
                          properties:
                            dstPort:
                              type: integer
                              minimum: 1
                              maximum: 65535
                            srcPort:
                              type: integer
                              minimum: 1
                              maximum: 65535
                          type: object
                        icmp:
                          properties:
                            id:
                              type: integer
                              minimum: 0
                              maximum: 65535
                            sequence:
                              type: integer
                              minimum: 0
                              maximum: 65535
                          type: object
                      type: object
                  type: object
      subresources:
        status: {}
  scope: Cluster
  names:
    plural: traceflows
    singular: traceflow
    kind: Traceflow
    shortNames:
      - tf

---
# Source: antrea/crds/trafficcontrol.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: trafficcontrols.crd.antrea.io
spec:
  group: crd.antrea.io
  versions:
    - name: v1alpha2
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          required:
            - spec
          properties:
            spec:
              type: object
              required:
                - appliedTo
                - direction
                - action
                - targetPort
              properties:
                appliedTo:
                  type: object
                  properties:
                    podSelector:
                      type: object
                      properties:
                        matchExpressions:
                          type: array
                          items:
                            type: object
                            properties:
                              key:
                                type: string
                              operator:
                                enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                type: string
                              values:
                                type: array
                                items:
                                  type: string
                                  pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                        matchLabels:
                          x-kubernetes-preserve-unknown-fields: true
                    namespaceSelector:
                      type: object
                      properties:
                        matchExpressions:
                          type: array
                          items:
                            type: object
                            properties:
                              key:
                                type: string
                              operator:
                                enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                type: string
                              values:
                                type: array
                                items:
                                  type: string
                                  pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                        matchLabels:
                          x-kubernetes-preserve-unknown-fields: true
                direction:
                  type: string
                  enum:
                    - Ingress
                    - Egress
                    - Both
                action:
                  type: string
                  enum:
                    - Mirror
                    - Redirect
                targetPort:
                  type: object
                  oneOf:
                    - required: [ovsInternal]
                    - required: [device]
                    - required: [geneve]
                    - required: [vxlan]
                    - required: [gre]
                    - required: [erspan]
                  properties:
                    ovsInternal:
                      type: object
                      required:
                        - name
                      properties:
                        name:
                          type: string
                    device:
                      type: object
                      required:
                        - name
                      properties:
                        name:
                          type: string
                    geneve:
                      type: object
                      required:
                        - remoteIP
                      properties:
                        remoteIP:
                          type: string
                          oneOf:
                            - format: ipv4
                            - format: ipv6
                        vni:
                          type: integer
                          minimum: 0
                          maximum: 16777215
                        destinationPort:
                          type: integer
                          minimum: 1
                          maximum: 65535
                    vxlan:
                      type: object
                      required:
                        - remoteIP
                      properties:
                        remoteIP:
                          type: string
                          oneOf:
                            - format: ipv4
                            - format: ipv6
                        vni:
                          type: integer
                          minimum: 0
                          maximum: 16777215
                        destinationPort:
                          type: integer
                          minimum: 1
                          maximum: 65535
                    gre:
                      type: object
                      required:
                        - remoteIP
                      properties:
                        remoteIP:
                          type: string
                          oneOf:
                            - format: ipv4
                            - format: ipv6
                        key:
                          type: integer
                          minimum: 0
                          maximum: 4294967295
                    erspan:
                      type: object
                      required:
                        - remoteIP
                        - version
                      properties:
                        remoteIP:
                          type: string
                          oneOf:
                            - format: ipv4
                            - format: ipv6
                        sessionID:
                          type: integer
                          minimum: 0
                          maximum: 1023
                        version:
                          type: integer
                          enum:
                            - 1
                            - 2
                        index:
                          type: integer
                        dir:
                          type: integer
                          enum:
                            - 0
                            - 1
                        hardwareID:
                          type: integer
                returnPort:
                  type: object
                  oneOf:
                    - required: [ovsInternal]
                    - required: [device]
                    - required: [geneve]
                    - required: [vxlan]
                    - required: [gre]
                  properties:
                    ovsInternal:
                      type: object
                      required:
                        - name
                      properties:
                        name:
                          type: string
                    device:
                      type: object
                      required:
                        - name
                      properties:
                        name:
                          type: string
                    geneve:
                      type: object
                      required:
                        - remoteIP
                      properties:
                        remoteIP:
                          type: string
                          oneOf:
                            - format: ipv4
                            - format: ipv6
                        vni:
                          type: integer
                          minimum: 0
                          maximum: 16777215
                        destinationPort:
                          type: integer
                          minimum: 1
                          maximum: 65535
                    vxlan:
                      type: object
                      required:
                        - remoteIP
                      properties:
                        remoteIP:
                          type: string
                          oneOf:
                            - format: ipv4
                            - format: ipv6
                        vni:
                          type: integer
                          minimum: 0
                          maximum: 16777215
                        destinationPort:
                          type: integer
                          minimum: 1
                          maximum: 65535
                    gre:
                      type: object
                      required:
                        - remoteIP
                      properties:
                        remoteIP:
                          type: string
                          oneOf:
                            - format: ipv4
                            - format: ipv6
                        key:
                          type: integer
                          minimum: 0
                          maximum: 4294967295
      additionalPrinterColumns:
        - description: Specifies the direction of traffic that should be matched.
          jsonPath: .spec.direction
          name: Direction
          type: string
        - description: Specifies the action that should be taken for the traffic.
          jsonPath: .spec.action
          name: Action
          type: string
        - jsonPath: .metadata.creationTimestamp
          name: Age
          type: date
      subresources:
        status: {}
  scope: Cluster
  names:
    plural: trafficcontrols
    singular: trafficcontrol
    kind: TrafficControl
    shortNames:
      - tc

---
# Source: antrea/templates/agent/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: antrea-agent
  namespace: kube-system
  labels:
    app: antrea
---
# Source: antrea/templates/antctl/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: antctl
  namespace: kube-system
  labels:
    app: antrea
---
# Source: antrea/templates/controller/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: antrea-controller
  namespace: kube-system
  labels:
    app: antrea
---
# Source: antrea/templates/agent/secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: antrea-agent-service-account-token
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: antrea-agent
type: kubernetes.io/service-account-token
---
# Source: antrea/templates/antctl/secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: antctl-service-account-token
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: antctl
type: kubernetes.io/service-account-token
---
# Source: antrea/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: antrea-config
  namespace: kube-system
  labels:
    app: antrea
data:
  antrea-agent.conf: |
    # FeatureGates is a map of feature names to bools that enable or disable experimental features.
    featureGates:
    # AllAlpha is a global toggle for alpha features. Per-feature key values override the default set by AllAlpha.
    #  AllAlpha: false

    # AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta.
    #  AllBeta: false

    # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent.
    # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
    # Service traffic. Note that this feature gate is deprecated since this feature was
    # promoted to GA in v1.14.
    #  AntreaProxy: true

    # Enable TopologyAwareHints in AntreaProxy. This requires AntreaProxy and EndpointSlice to be
    # enabled, otherwise this flag will not take effect.
    #  TopologyAwareHints: true

    # Enable ServiceTrafficDistribution in AntreaProxy. This requires AntreaProxy and EndpointSlice to be
    # enabled, otherwise this flag will not take effect.
    #  ServiceTrafficDistribution: true

    # Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to
    # be enabled, otherwise this flag will not take effect.
    #  CleanupStaleUDPSvcConntrack: true

    # Enable Traceflow which provides packet tracing feature to diagnose network issue.
    #  Traceflow: true

    # Enable PacketCapture feature which supports capturing packets to diagnose network issues.
    #  PacketCapture: false

    # Enable NodePortLocal feature to make the Pods reachable externally through NodePort
    #  NodePortLocal: true

    # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
    # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
    # feature that supports priorities, rule actions and externalEntities in the future.
    #  AntreaPolicy: true

    # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each
    # agent to a configured collector.
    #  FlowExporter: false

    # Enable collecting and exposing NetworkPolicy statistics.
    #  NetworkPolicyStats: true

    # Enable controlling SNAT IPs of Pod egress traffic.
    #  Egress: true

    # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the
    # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for
    # IPAM when configuring secondary network interfaces with Multus.
    #  AntreaIPAM: false

    # Enable multicast traffic.
    #  Multicast: true

    # Enable Antrea Multi-cluster features.
    #  Multicluster: false

    # Enable support for provisioning secondary network interfaces for Pods (using
    # Pod annotations). At the moment, Antrea can create secondary network
    # interfaces either using SR-IOV VFs on bare-metal Nodes or veth interfaces
    # bridged to the underlay network, with or without VLAN tagging.
    #  SecondaryNetwork: false

    # Enable managing external IPs of Services of LoadBalancer type.
    #  ServiceExternalIP: true

    # Enable mirroring or redirecting the traffic Pods send or receive.
    #  TrafficControl: false

    # Enable certificate-based authentication for IPSec tunnel.
    #  IPsecCertAuth: false

    # Enable collecting support bundle files with SupportBundleCollection CRD.
    #  SupportBundleCollection: false

    # Enable users to protect their applications by specifying how they are allowed to communicate with others, taking
    # into account application context.
    #  L7NetworkPolicy: false

    # Allow users to specify the load balancer mode as DSR (Direct Server Return).
    #  LoadBalancerModeDSR: false

    # Enable Egress traffic shaping.
    #  EgressTrafficShaping: false

    # Allow users to allocate Egress IPs from a different subnet from the default Node subnet.
    #  EgressSeparateSubnet: true

    # Allow users to apply ClusterNetworkPolicy to Kubernetes Nodes.
    #  NodeNetworkPolicy: false

    # Enable L7FlowExporter on Pods and Namespaces to export the application layer flows such as HTTP flows.
    #  L7FlowExporter: false

    # Enable NodeLatencyMonitor to monitor the latency between Nodes.
    #  NodeLatencyMonitor: false

    # Allow users to initiate BGP process on selected Kubernetes Nodes and advertise Service IPs, Pod IPs and Egress IPs to
    # remote BGP peers.
    #  BGPPolicy: false

    # Name of the OpenVSwitch bridge antrea-agent will create and use.
    # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
    ovsBridge: "br-int"

    # Datapath type to use for the OpenVSwitch bridge created by Antrea. At the moment, the only
    # supported value is 'system', which corresponds to the kernel datapath.
    #ovsDatapathType: system

    # Name of the interface antrea-agent will create and use for host <--> pod communication.
    # Make sure it doesn't conflict with your existing interfaces.
    hostGateway: "antrea-gw0"

    # Determines how traffic is encapsulated. It has the following options:
    # encap(default):    Inter-node Pod traffic is always encapsulated and Pod to external network
    #                    traffic is SNAT'd.
    # noEncap:           Inter-node Pod traffic is not encapsulated; Pod to external network traffic is
    #                    SNAT'd if noSNAT is not set to true. Underlying network must be capable of
    #                    supporting Pod traffic across IP subnets.
    # hybrid:            noEncap if source and destination Nodes are on the same subnet, otherwise encap.
    # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
    #                    IPAM and connectivity to the primary CNI.
    #
    trafficEncapMode: "encap"

    # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
    # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
    # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
    # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
    # performs SNAT and this option will be ignored; for other modes it must be set to false.
    noSNAT: false

    # Fully randomize source port mapping in SNAT rules used for egress traffic from Pods to the
    # external network.
    snatFullyRandomPorts: false

    # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode,
    # this option will not take effect. Supported values:
    # - geneve (default)
    # - vxlan
    # - gre
    # - stt
    # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters).
    tunnelType: "geneve"

    # TunnelPort is the destination port for UDP and TCP based tunnel protocols (Geneve, VXLAN, and STT).
    # If zero, it will use the assigned IANA port for the protocol, i.e. 6081 for Geneve, 4789 for VXLAN,
    # and 7471 for STT.
    tunnelPort: 0

    # TunnelCsum determines whether to compute UDP encapsulation header (Geneve or VXLAN) checksums on outgoing
    # packets. For Linux kernel before Mar 2021, UDP checksum must be present to trigger GRO on the receiver for better
    # performance of Geneve and VXLAN tunnels. The issue has been fixed by
    # https://github.com/torvalds/linux/commit/89e5c58fc1e2857ccdaae506fb8bc5fed57ee063, thus computing UDP checksum is
    # no longer necessary.
    # It should only be set to true when you are using an unpatched Linux kernel and observing poor transfer performance.
    tunnelCsum: false

    # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.
    # It has the following options:
    # - none (default):  Inter-node Pod traffic will not be encrypted.
    # - ipsec:           Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses
    #                    Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled,
    #                    the PSK value must be passed to Antrea Agent through an environment
    #                    variable: ANTREA_IPSEC_PSK.
    # - wireGuard:       Enable WireGuard for tunnel traffic encryption.
    trafficEncryptionMode: "none"

    # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
    # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are
    # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the
    # underlay network.
    # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
    # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
    # `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
    enableBridgingMode: false

    # Disable TX checksum offloading for container network interfaces and the host gateway interface (default:
    # antrea-gw0). It's supposed to be set to true when the datapath doesn't support TX checksum offloading,
    # which causes packets to be dropped due to bad checksum.
    # If this option is later set to false, Antrea does nothing to the affected container network interfaces
    # and the host gateway interface.
    # This option affects Linux Nodes only.
    disableTXChecksumOffload: false

    # Default MTU to use for the host gateway interface and the network interface of each Pod.
    # If omitted, antrea-agent will discover the MTU of the Node's primary interface and
    # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
    # If the MTU is updated, the new value will only be applied to new workloads.
    defaultMTU: 0

    # packetInRate defines the OVS controller packet rate limits for different
    # features. All features will apply this rate-limit individually on packet-in
    # messages sent to antrea-agent. The number stands for the rate as packets per
    # second(pps) and the burst size will be automatically set to twice the rate.
    # When the rate and burst size are exceeded, new packets will be dropped.
    packetInRate: 500

    # wireGuard specifies WireGuard related configurations.
    wireGuard:
      # The port for WireGuard to receive traffic.
      port: 51820

    egress:
      # exceptCIDRs is a list of CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses, e.g.
      # ["192.168.0.0/16", "172.16.0.0/12"].
      exceptCIDRs:
      # The maximum number of Egress IPs that can be assigned to a Node. It's useful when the Node network restricts
      # the number of secondary IPs a Node can have, e.g. EKS. It must not be greater than 255.
      maxEgressIPsPerNode: 255
      # Fully randomize source port mapping in Egress SNAT rules. This has no impact on the default SNAT
      # rules enforced by each Node for local Pod traffic. By default, we use the same value as for the
      # top-level snatFullyRandomPorts configuration, but this field can be used as an override.
      snatFullyRandomPorts:

{% if (networking.podSubnet.split(',') | length == 2) and (networking.serviceSubnet.split(',') | length == 2) %}
{% if networking.serviceSubnet.split(',')[0] | default('10.96.0.0/12') | ansible.netcommon.next_nth_usable(2) | ip == 4 %}
    # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
    # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
    # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
    serviceCIDR: "{{ networking.serviceSubnet.split(',')[0] }}"

    # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
    # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
    # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
    # No default value for this field.
    serviceCIDRv6: "{{ networking.serviceSubnet.split(',')[1] }}"

    # Determines how traffic is encapsulated. It has the following options:
    # encap(default):    Inter-node Pod traffic is always encapsulated and Pod to external network
    #                    traffic is SNAT'd.
    # noEncap:           Inter-node Pod traffic is not encapsulated; Pod to external network traffic is
    #                    SNAT'd if noSNAT is not set to true. Underlying network must be capable of
    #                    supporting Pod traffic across IP subnets.
    # hybrid:            noEncap if source and destination Nodes are on the same subnet, otherwise encap.
    # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
    #                    IPAM and connectivity to the primary CNI.
    #
    trafficEncapMode: "noEncap"

    # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
    # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
    # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
    # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
    # performs SNAT and this option will be ignored; for other modes it must be set to false.
    noSNAT: true
{% else %}
    # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
    # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
    # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
    serviceCIDR: "{{ networking.serviceSubnet.split(',')[1] }}"

    # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
    # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
    # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
    # No default value for this field.
    serviceCIDRv6: "{{ networking.serviceSubnet.split(',')[0] }}"


    # Determines how traffic is encapsulated. It has the following options:
    # encap(default):    Inter-node Pod traffic is always encapsulated and Pod to external network
    #                    traffic is SNAT'd.
    # noEncap:           Inter-node Pod traffic is not encapsulated; Pod to external network traffic is
    #                    SNAT'd if noSNAT is not set to true. Underlying network must be capable of
    #                    supporting Pod traffic across IP subnets.
    # hybrid:            noEncap if source and destination Nodes are on the same subnet, otherwise encap.
    # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
    #                    IPAM and connectivity to the primary CNI.
    #
    trafficEncapMode: "noEncap"

    # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
    # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
    # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
    # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
    # performs SNAT and this option will be ignored; for other modes it must be set to false.
    noSNAT: true
{% endif %}
{% else %}
{% if inventory_hostname | ip == 4 %}
    # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
    # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
    # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
    serviceCIDR: "{{ networking.serviceSubnet | default('10.96.0.0/12') }}"

    # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
    # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
    # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
    # No default value for this field.
    serviceCIDRv6: ""

    # Determines how traffic is encapsulated. It has the following options:
    # encap(default):    Inter-node Pod traffic is always encapsulated and Pod to external network
    #                    traffic is SNAT'd.
    # noEncap:           Inter-node Pod traffic is not encapsulated; Pod to external network traffic is
    #                    SNAT'd if noSNAT is not set to true. Underlying network must be capable of
    #                    supporting Pod traffic across IP subnets.
    # hybrid:            noEncap if source and destination Nodes are on the same subnet, otherwise encap.
    # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
    #                    IPAM and connectivity to the primary CNI.
    #
    trafficEncapMode: "encap"

    # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
    # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
    # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
    # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
    # performs SNAT and this option will be ignored; for other modes it must be set to false.
    noSNAT: false
{% elif inventory_hostname | ip == 6 %}
    # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
    # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
    # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
    serviceCIDR: ""

    # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
    # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
    # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
    # No default value for this field.
    serviceCIDRv6: "{{ networking.serviceSubnet | default('2402:db8:42:d700::/64') }}"


    # Determines how traffic is encapsulated. It has the following options:
    # encap(default):    Inter-node Pod traffic is always encapsulated and Pod to external network
    #                    traffic is SNAT'd.
    # noEncap:           Inter-node Pod traffic is not encapsulated; Pod to external network traffic is
    #                    SNAT'd if noSNAT is not set to true. Underlying network must be capable of
    #                    supporting Pod traffic across IP subnets.
    # hybrid:            noEncap if source and destination Nodes are on the same subnet, otherwise encap.
    # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
    #                    IPAM and connectivity to the primary CNI.
    #
    trafficEncapMode: "noEncap"

    # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
    # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
    # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
    # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
    # performs SNAT and this option will be ignored; for other modes it must be set to false.
    noSNAT: true
{% endif %}
{% endif %}

    # The port for the antrea-agent APIServer to serve on.
    # Note that if it's set to another value, the `containerPort` of the `api` port of the
    # `antrea-agent` container must be set to the same value.
    apiPort: 10350

    # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
    enablePrometheusMetrics: true


    flowExporter:
      # Enable FlowExporter, a feature used to export polled conntrack connections as
      # IPFIX flow records from each agent to a configured collector. To enable this
      # feature, you need to set "enable" to true, and ensure that the FlowExporter
      # feature gate is also enabled.
      enable: false
      # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
      # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
      # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
      # wrapped with []. When the collector is running in-cluster as a Service, set
      # <HOST> to <Service namespace>/<Service name>. For example,
      # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
      # Flow Aggregator Service.
      # If PORT is empty, we default to 4739, the standard IPFIX port.
      # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
      # "udp" protocols. "tls" is used for securing communication between flow exporter and
      # flow aggregator.
      flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls"

      # Provide flow poll interval as a duration string. This determines how often the
      # flow exporter dumps connections from the conntrack module. Flow poll interval
      # should be greater than or equal to 1s (one second).
      # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
      flowPollInterval: "5s"

      # Provide the active flow export timeout, which is the timeout after which a flow
      # record is sent to the collector for active flows. Thus, for flows with a continuous
      # stream of packets, a flow record will be exported to the collector once the elapsed
      # time since the last export event is equal to the value of this timeout.
      # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
      activeFlowExportTimeout: "5s"

      # Provide the idle flow export timeout, which is the timeout after which a flow
      # record is sent to the collector for idle flows. A flow is considered idle if no
      # packet matching this flow has been observed since the last export event.
      # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
      idleFlowExportTimeout: "15s"

    nodePortLocal:
    # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
    # enable this feature, you need to set "enable" to true.
      enable: false
    # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
    # from that range will be assigned whenever a Pod's container defines a specific port to be exposed
    # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
    # directed to that port will be forwarded to the Pod.
      portRange: "61000-62000"

    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
    # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
    kubeAPIServerOverride: ""

    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
    # hostnames in a FQDN policy.
    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
    # 10.96.0.10:53, [fd00:10:96::a]:53).
    dnsServerOverride: ""

    # fqdnCacheMinTTL helps address the issue of applications caching DNS response IPs beyond the TTL value
    # for the DNS record. It is used to enforce FQDN policy rules, ensuring that resolved IPs are included
    # in datapath rules for as long as the application caches them. Ideally, this value should be set to
    # the maximum caching duration across all applications.
    fqdnCacheMinTTL: 0

    # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
    # https://golang.org/pkg/crypto/tls/#pkg-constants
    # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
    # prefer TLS1.3 Cipher Suites whenever possible.
    tlsCipherSuites: ""

    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
    tlsMinVersion: ""

    # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes.
    # If there are multiple IP addresses configured on the interface, the first one is used. The IP
    # address used for tunneling or routing traffic to remote Nodes is decided in the following order of
    # preference (from highest to lowest):
    # 1. transportInterface
    # 2. transportInterfaceCIDRs
    # 3. The Node IP
    transportInterface: ""

    multicast:
      # To enable Multicast, you need to set "enable" to true, and ensure that the
      # Multicast feature gate is also enabled (which is the default).
      enable: false

      # The names of the interfaces on Nodes that are used to forward multicast traffic.
      # Defaults to transport interface if not set.
      multicastInterfaces:

      # The versions of IGMP queries antrea-agent sends to Pods.
      # Valid versions are 1, 2 and 3.
      igmpQueryVersions:
      - 1
      - 2
      - 3

      # The interval at which the antrea-agent sends IGMP queries to Pods.
      # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
      igmpQueryInterval: "125s"

    # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
    # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
    # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of
    # preference (from highest to lowest):
    # 1. transportInterface
    # 2. transportInterfaceCIDRs
    # 3. The Node IP
    transportInterfaceCIDRs:

    # Option antreaProxy contains AntreaProxy related configuration options.
    antreaProxy:
      # To disable AntreaProxy, set this to false.
      enable: true
      # proxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic,
      # regardless of where they come from. Therefore, running kube-proxy is no longer required.
      # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
      # apiserver directly.
      proxyAll: false
      # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks.
      # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses.
      # Note that the option is only valid when proxyAll is true.
      nodePortAddresses:
      # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these
      # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name
      # with Namespace (e.g. kube-system/kube-dns)
      skipServices:
      # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the
      # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional
      # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the
      # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy.
      # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when proxyAll is set to true and
      # kube-proxy is removed from the cluster, otherwise kube-proxy will still load-balance this traffic.
      proxyLoadBalancerIPs: true
      # The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set,
      # then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set,
      # then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label,
      # but ignore Services with the label no matter what is the value.
      serviceProxyName: ""
      # Determines how external traffic is processed when it's load balanced across Nodes by default.
      # It has the following options:
      # - nat (default): External traffic is SNAT'd when it's load balanced across Nodes to ensure symmetric path.
      # - dsr:           External traffic is never SNAT'd. Backend Pods running on Nodes that are not the ingress Node
      #                  can reply to clients directly, bypassing the ingress Node.
      # A Service's load balancer mode can be overridden by annotating it with `service.antrea.io/load-balancer-mode`.
      defaultLoadBalancerMode: "nat"
      # Disables the health check server run by Antrea Proxy, which provides health information about
      # Services of type LoadBalancer with externalTrafficPolicy set to Local, when proxyAll is
      # enabled. This avoids race conditions between kube-proxy and Antrea proxy, with both trying to
      # bind to the same addresses, when proxyAll is enabled while kube-proxy has not been removed.
      disableServiceHealthCheckServer: false

    # IPsec tunnel related configurations.
    ipsec:
      # The authentication mode of IPsec tunnel. It has the following options:
      # - psk (default): Use pre-shared key (PSK) for IKE authentication.
      # - cert:          Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth`
      #                  feature gate to be enabled.
      authenticationMode: "psk"

    multicluster:
    # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
    # This feature is supported only with encap mode.
      enableGateway: false
    # The Namespace where Antrea Multi-cluster Controller is running.
    # The default is antrea-agent's Namespace.
      namespace: ""
    # Enable Multi-cluster NetworkPolicy (ingress rules).
    # Multi-cluster Gateway must be enabled to enable StretchedNetworkPolicy.
      enableStretchedNetworkPolicy: false
    # Enable Pod to Pod connectivity.
      enablePodToPodConnectivity: false
    # Determines how cross-cluster traffic is encrypted.
    # It has the following options:
    # - none (default):  Cross-cluster traffic will not be encrypted.
    # - wireGuard:       Use WireGuard to encrypt traffic.
      trafficEncryptionMode: "none"
    # WireGuard tunnel configuration for cross-cluster traffic.
    # It only works when multicluster.trafficEncryptionMode is wireGuard.
      wireGuard:
        # WireGuard tunnel port for cross-cluster traffic.
        port: 51821

    # Log rotation configuration for audit logs.
    auditLogging:
      # MaxSize is the maximum size in MB of a log file before it gets rotated.
      maxSize: 500
      # MaxBackups is the maximum number of old log files to retain. If set to 0,
      # all log files will be retained (unless MaxAge causes them to be deleted).
      maxBackups: 3
      # MaxAge is the maximum number of days to retain old log files based on the
      # timestamp encoded in their filename. If set to 0, old log files are not
      # removed based on age.
      maxAge: 28
      # Compress enables gzip compression on rotated files.
      compress: true

    # SecondaryNetwork related configurations.
    secondaryNetwork:
      # Configuration of OVS bridges for secondary network. At the moment, at
      # most one OVS bridge can be specified. If the specified bridge does not exist
      # on the Node, antrea-agent will create it based on the configuration.
      # The following configuration specifies an OVS bridge with name "br1" and a
      # physical interface "eth1":
      # [{bridgeName: "br1", physicalInterfaces: ["eth1"]}]
      ovsBridges:
  antrea-cni.conflist: |
    {
        "cniVersion":"0.3.0",
        "name": "antrea",
        "plugins": [
            {
                "type": "antrea",
                "ipam": {
                    "type": "host-local"
                }
            }
            ,
            {
                "type": "portmap",
                "capabilities": {"portMappings": true}
            }
            ,
            {
                "type": "bandwidth",
                "capabilities": {"bandwidth": true}
            }
        ]
    }
  antrea-controller.conf: |
    # FeatureGates is a map of feature names to bools that enable or disable experimental features.
    featureGates:
    # AllAlpha is a global toggle for alpha features. Per-feature key values override the default set by AllAlpha.
    #  AllAlpha: false

    # AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta.
    #  AllBeta: false

    # Enable traceflow which provides packet tracing feature to diagnose network issue.
    #  Traceflow: true

    # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
    # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
    # feature that supports priorities, ExternalEntities, FQDN rules and more.
    #  AntreaPolicy: true

    # Enable collecting and exposing NetworkPolicy statistics.
    #  NetworkPolicyStats: true

    # Enable multicast traffic.
    #  Multicast: true

    # Enable controlling SNAT IPs of Pod egress traffic.
    #  Egress: true

    # Run Kubernetes NodeIPAMController with Antrea.
    #  NodeIPAM: true

    # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the
    # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for
    # IPAM when configuring secondary network interfaces with Multus.
    #  AntreaIPAM: false

    # Enable managing external IPs of Services of LoadBalancer type.
    #  ServiceExternalIP: true

    # Enable certificate-based authentication for IPSec tunnel.
    #  IPsecCertAuth: false

    # Enable managing ExternalNode for unmanaged VM/BM.
    #  ExternalNode: false

    # Enable collecting support bundle files with SupportBundleCollection CRD.
    #  SupportBundleCollection: false

    # Enable Antrea Multi-cluster features.
    #  Multicluster: false

    # Enable users to protect their applications by specifying how they are allowed to communicate with others, taking
    # into account application context.
    #  L7NetworkPolicy: false

    # Enable the use of Network Policy APIs (https://network-policy-api.sigs.k8s.io/api-overview) which helps administrators
    # set security postures for their clusters.
    #  AdminNetworkPolicy: false

    # The port for the antrea-controller APIServer to serve on.
    # Note that if it's set to another value, the `containerPort` of the `api` port of the
    # `antrea-controller` container must be set to the same value.
    apiPort: 10349

    # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
    enablePrometheusMetrics: true

    # Indicates whether to use auto-generated self-signed TLS certificate.
    # If false, a Secret named "antrea-controller-tls" must be provided with the following keys:
    #   ca.crt: <CA certificate>
    #   tls.crt: <TLS certificate>
    #   tls.key: <TLS private key>
    selfSignedCert: true

    # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
    # https://golang.org/pkg/crypto/tls/#pkg-constants
    # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
    # prefer TLS1.3 Cipher Suites whenever possible.
    tlsCipherSuites: ""

    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
    tlsMinVersion: ""

    # File path of the certificate bundle for all the signers that is recognized for incoming client
    # certificates.
    clientCAFile: ""

    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy) and kube-controller-manager
    # does not run NodeIPAMController (replaced by Antrea NodeIPAM).
    # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
    kubeAPIServerOverride: ""

    nodeIPAM:
      # Enable the integrated Node IPAM controller within the Antrea controller.
      enableNodeIPAM: false
      # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
      # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
      # Value ignored when enableNodeIPAM is false.
      clusterCIDRs:
      # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
      # Value ignored when enableNodeIPAM is false.
      serviceCIDR: ""
      serviceCIDRv6: ""
      # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
      # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
      nodeCIDRMaskSizeIPv4: 24
      # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
      # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
      nodeCIDRMaskSizeIPv6: 64

    ipsecCSRSigner:
      # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management.
      # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions
      # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled,
      # the Pod identity will also be validated to provide maximum security.
      # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved
      # manually by `kubectl certificate approve`.
      autoApprove: true
      # Indicates whether to use auto-generated self-signed CA certificate.
      # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys:
      #   tls.crt: <CA certificate>
      #   tls.key: <CA private key>
      selfSignedCA: true

    multicluster:
      # Enable Multi-cluster NetworkPolicy.
      enableStretchedNetworkPolicy: false
---
# Source: antrea/templates/agent/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: antrea-agent
  labels:
    app: antrea
rules:
  - apiGroups:
      - stats.antrea.io
    resources:
      - nodelatencystats
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - ""
    resources:
      - nodes/status
    verbs:
      - patch
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - ""
    resources:
      - pods/status
    verbs:
      - patch
  - apiGroups:
      - ""
    resources:
      - endpoints
      - services
      - namespaces
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - discovery.k8s.io
    resources:
      - endpointslices
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - crd.antrea.io
    resources:
      - antreaagentinfos
    verbs:
      - get
      - update
  - apiGroups:
      - controlplane.antrea.io
    resources:
      - networkpolicies
      - appliedtogroups
      - addressgroups
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - controlplane.antrea.io
    resources:
      - egressgroups
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - controlplane.antrea.io
    resources:
      - nodestatssummaries
    verbs:
      - create
  - apiGroups:
      - controlplane.antrea.io
    resources:
      - networkpolicies/status
    verbs:
      - create
      - get
  - apiGroups:
      - controlplane.antrea.io
    resources:
      - supportbundlecollections
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - controlplane.antrea.io
    resources:
      - supportbundlecollections/status
    verbs:
      - create
  - apiGroups:
      - authentication.k8s.io
    resources:
      - tokenreviews
    verbs:
      - create
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
  # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
  # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will
  # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
  # See https://github.com/kubernetes/kubernetes/pull/85375
  # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
  # the extension-apiserver-authentication role.
  - apiGroups:
      - ""
    resourceNames:
      - extension-apiserver-authentication
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      - antrea-ca
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - crd.antrea.io
    resources:
      - traceflows
      - traceflows/status
    verbs:
      - get
      - watch
      - list
      - update
      - patch
      - create
      - delete
  - apiGroups:
      - crd.antrea.io
    resources:
      - packetcaptures
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - crd.antrea.io
    resources:
      - packetcaptures/status
    verbs:
      - update
  - apiGroups:
      - crd.antrea.io
    resources:
      - egresses
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - crd.antrea.io
    resources:
      - egresses/status
    verbs:
      - update
  - apiGroups:
      - crd.antrea.io
    resources:
      - bgppolicies
      - externalippools
      - ippools
      - trafficcontrols
      - nodelatencymonitors
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - crd.antrea.io
    resources:
      - ippools/status
    verbs:
      - update
  - apiGroups:
      - k8s.cni.cncf.io
    resources:
      - network-attachment-definitions
    verbs:
      - get
      - list
      - watch
  - apiGroups:
    - certificates.k8s.io
    resources:
      - certificatesigningrequests
    verbs:
      - get
      - watch
      - list
      - create
  - apiGroups:
    - multicluster.crd.antrea.io
    resources:
    - gateways
    verbs:
    - get
    - list
    - watch
    - patch
  - apiGroups:
    - multicluster.crd.antrea.io
    resources:
    - clusterinfoimports
    - labelidentities
    verbs:
    - get
    - list
    - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      - secrets
    resourceNames:
      - antrea-bgp-passwords
      - antrea-packetcapture-fileserver-auth
    verbs:
      - get
      - list
      - watch
---
# Source: antrea/templates/antctl/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: antctl
  labels:
    app: antrea
rules:
  - apiGroups:
      - controlplane.antrea.io
    resources:
      - networkpolicies
      - appliedtogroups
      - addressgroups
    verbs:
      - get
      - list
  - apiGroups:
      - controlplane.antrea.io
    resources:
      - networkpolicyevaluation
    verbs:
      - create
  - apiGroups:
      - stats.antrea.io
    resources:
      - networkpolicystats
      - antreaclusternetworkpolicystats
      - antreanetworkpolicystats
    verbs:
      - get
      - list
  - apiGroups:
      - system.antrea.io
    resources:
      - controllerinfos
    verbs:
      - get
  - apiGroups:
      - system.antrea.io
    resources:
      - supportbundles
    verbs:
      - create
      - get
  - apiGroups:
      - system.antrea.io
    resources:
      - supportbundles/download
    verbs:
      - get
  - nonResourceURLs:
      - /agentinfo
      - /addressgroups
      - /appliedtogroups
      - /loglevel
      - /networkpolicies
      - /ovsflows
      - /ovstracing
      - /podinterfaces
      - /featuregates
      - /serviceexternalip
      - /metrics
      - /debug/pprof
      - /debug/pprof/*
    verbs:
      - get
  - apiGroups:
      - crd.antrea.io
    resources:
      - antreacontrollerinfos
      - antreaagentinfos
    verbs:
      - get
      - list
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - list
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
      - list
  - apiGroups:
      - apps
    resources:
      - daemonsets
      - deployments
      - replicasets
    verbs:
      - list
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      - antrea-config
      - antrea-ca
      - antrea-ipsec-ca
      - antrea-cluster-identity
    verbs:
      - get
---
# Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: antrea-cluster-identity-reader
  labels:
    app: antrea
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      - antrea-cluster-identity
    verbs:
      - get
---
# Source: antrea/templates/controller/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: antrea-controller
  labels:
    app: antrea
rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - services
      - namespaces
      - configmaps
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
      - watch
      - list
      - patch
  - apiGroups:
      - ""
    resources:
      - services/status
    verbs:
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - networkpolicies
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - authentication.k8s.io
    resources:
      - tokenreviews
    verbs:
      - create
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - get
      - list
      - update
  # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
  # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will
  # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
  # See https://github.com/kubernetes/kubernetes/pull/85375
  # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
  # the extension-apiserver-authentication role.
  - apiGroups:
      - ""
    resourceNames:
      - extension-apiserver-authentication
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      - antrea-ca
      - antrea-ipsec-ca
      - antrea-cluster-identity
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - secrets
    resourceNames:
      - antrea-controller-tls
      - antrea-ipsec-ca
    verbs:
      - get
      - update
      - watch
      - list
  - apiGroups:
      - ""
    resources:
      - configmaps
      - secrets
    verbs:
      - create
  - apiGroups:
      - apiregistration.k8s.io
    resources:
      - apiservices
    verbs:
      - list
      - update
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - mutatingwebhookconfigurations
      - validatingwebhookconfigurations
    verbs:
      - list
      - update
  - apiGroups:
    - certificates.k8s.io
    resources:
    - certificatesigningrequests
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - certificates.k8s.io
    resources:
    - certificatesigningrequests/approval
    - certificatesigningrequests/status
    verbs:
    - update
  - apiGroups:
    - certificates.k8s.io
    resources:
    - signers
    resourceNames:
    - antrea.io/antrea-agent-ipsec-tunnel
    verbs:
    - approve
    - sign
  - apiGroups:
      - crd.antrea.io
    resources:
      - antreacontrollerinfos
    verbs:
      - get
      - create
      - update
      - delete
  - apiGroups:
      - crd.antrea.io
    resources:
      - antreaagentinfos
    verbs:
      - list
      - create
      - delete
  - apiGroups:
      - crd.antrea.io
    resources:
      - clusternetworkpolicies
      - networkpolicies
    verbs:
      - get
      - watch
      - list
      - update
      - patch
      - create
      - delete
  - apiGroups:
      - crd.antrea.io
    resources:
      - clusternetworkpolicies/status
      - networkpolicies/status
    verbs:
      - update
  - apiGroups:
      - crd.antrea.io
    resources:
      - tiers
    verbs:
      - get
      - watch
      - list
      - update
      - patch
      - create
      - delete
  - apiGroups:
      - crd.antrea.io
    resources:
      - traceflows
      - traceflows/status
    verbs:
      - get
      - watch
      - list
      - update
      - patch
      - create
      - delete
  - apiGroups:
      - crd.antrea.io
    resources:
      - externalentities
      - clustergroups
      - groups
    verbs:
      - get
      - watch
      - list
      - update
      - patch
      - create
      - delete
  - apiGroups:
      - crd.antrea.io
    resources:
      - clustergroups/status
      - groups/status
      - egresses/status
    verbs:
      - update
  - apiGroups:
      - crd.antrea.io
    resources:
      - egresses
    verbs:
      - get
      - watch
      - list
      - update
      - patch
  - apiGroups:
      - crd.antrea.io
    resources:
      - externalippools
      - ippools
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - crd.antrea.io
    resources:
      - externalippools/status
      - ippools/status
    verbs:
      - update
      - patch
  - apiGroups:
      - crd.antrea.io
    resources:
      - externalnodes
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - apps
    resources:
      - statefulsets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - crd.antrea.io
    resources:
      - supportbundlecollections
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - crd.antrea.io
    resources:
      - supportbundlecollections/status
    verbs:
      - update
  - apiGroups:
      - multicluster.crd.antrea.io
    resources:
      - labelidentities
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - policy.networking.k8s.io
    resources:
      - adminnetworkpolicies
      - baselineadminnetworkpolicies
    verbs:
      - get
      - list
      - watch
---
# Source: antrea/templates/crds-rbac/clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: aggregate-antrea-policies-edit
  labels:
    app: antrea
    # Add these permissions to the "admin" and "edit" default roles.
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups: ["crd.antrea.io"]
  resources: ["clusternetworkpolicies", "networkpolicies"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# Source: antrea/templates/crds-rbac/clusterroles.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: aggregate-antrea-policies-view
  labels:
    app: antrea
    # Add these permissions to the "view" default role.
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["crd.antrea.io"]
  resources: ["clusternetworkpolicies", "networkpolicies"]
  verbs: ["get", "list", "watch"]
---
# Source: antrea/templates/crds-rbac/clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: aggregate-traceflows-edit
  labels:
    app: antrea
    # Add these permissions to the "admin" and "edit" default roles.
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups: ["crd.antrea.io"]
  resources: ["traceflows"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# Source: antrea/templates/crds-rbac/clusterroles.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: aggregate-traceflows-view
  labels:
    app: antrea
    # Add these permissions to the "view" default role.
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["crd.antrea.io"]
  resources: ["traceflows"]
  verbs: ["get", "list", "watch"]
---
# Source: antrea/templates/crds-rbac/clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: aggregate-antrea-clustergroups-edit
  labels:
    app: antrea
    # Add these permissions to the "admin" and "edit" default roles.
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups: ["crd.antrea.io"]
  resources: ["clustergroups"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# Source: antrea/templates/crds-rbac/clusterroles.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: aggregate-antrea-clustergroups-view
  labels:
    app: antrea
    # Add these permissions to the "view" default role.
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["crd.antrea.io"]
  resources: ["clustergroups"]
  verbs: ["get", "list", "watch"]
---
# Source: antrea/templates/agent/clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: antrea-agent
  labels:
    app: antrea
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: antrea-agent
subjects:
  - kind: ServiceAccount
    name: antrea-agent
    namespace: kube-system
---
# Source: antrea/templates/antctl/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app: antrea
  name: antctl
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: antctl
subjects:
  - kind: ServiceAccount
    name: antctl
    namespace: kube-system
---
# Source: antrea/templates/controller/clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: antrea-controller
  labels:
    app: antrea
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: antrea-controller
subjects:
  - kind: ServiceAccount
    name: antrea-controller
    namespace: kube-system
---
# Source: antrea/templates/controller/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: antrea
  namespace: kube-system
  labels:
    app: antrea
spec:
  ports:
    - port: 443
      protocol: TCP
      targetPort: api
  selector:
    app: antrea
    component: antrea-controller
---
# Source: antrea/templates/agent/daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: antrea-agent
  namespace: kube-system
  labels:
    app: antrea
    component: antrea-agent
spec:
  selector:
    matchLabels:
      app: antrea
      component: antrea-agent
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      annotations:
        # Starting with v1.21, Kubernetes supports default container annotation.
        # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting.
        kubectl.kubernetes.io/default-container: antrea-agent
        # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
        # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
        checksum/config: 6b0b82d61a89692c8092a44ac0a7bb02647254384f5246282bbb6be56415d08b
      labels:
        app: antrea
        component: antrea-agent
    spec:
      hostNetwork: true
      priorityClassName: system-node-critical
      nodeSelector:
        kubernetes.io/os: linux
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
        - effect: NoSchedule
          operator: Exists
        - effect: NoExecute
          operator: Exists
      serviceAccountName: antrea-agent
      initContainers:
        - name: install-cni
          image: {{ REGISTRY_URL | default('https://docker.io') | urlsplit('hostname') }}{% if REGISTRY_URL | default('https://docker.io') | urlsplit('port') is not none %}:{{REGISTRY_URL | default('https://docker.io') | urlsplit('port')}}{% endif %}{% if REGISTRY_URL | default('https://docker.io') | urlsplit('path') is not none %}{{ REGISTRY_URL | default('https://docker.io') | urlsplit('path') }}{% endif %}/antrea/antrea-agent-ubuntu:v2.3.0
          imagePullPolicy: IfNotPresent
          resources:
            requests:
              cpu: 100m
          command: ["install_cni"]
          securityContext:
            capabilities:
              add:
                - SYS_MODULE
          env:
            # SKIP_CNI_BINARIES takes in values as a comma separated list of
            # binaries that need to be skipped for installation, e.g. "portmap, bandwidth".
            - name: SKIP_CNI_BINARIES
              value: ""
          volumeMounts:
          - name: antrea-config
            mountPath: /etc/antrea/antrea-cni.conflist
            subPath: antrea-cni.conflist
            readOnly: true
          - name: host-cni-conf
            mountPath: /host/etc/cni/net.d
          - name: host-cni-bin
            mountPath: /host/opt/cni/bin
          # For loading the OVS kernel module.
          - name: host-lib-modules
            mountPath: /lib/modules
            readOnly: true
          # For changing the default permissions of the run directory.
          - name: host-var-run-antrea
            mountPath: /var/run/antrea
      containers:
        - name: antrea-agent
          image: {{ REGISTRY_URL | default('https://docker.io') | urlsplit('hostname') }}{% if REGISTRY_URL | default('https://docker.io') | urlsplit('port') is not none %}:{{REGISTRY_URL | default('https://docker.io') | urlsplit('port')}}{% endif %}{% if REGISTRY_URL | default('https://docker.io') | urlsplit('path') is not none %}{{ REGISTRY_URL | default('https://docker.io') | urlsplit('path') }}{% endif %}/antrea/antrea-agent-ubuntu:v2.3.0
          imagePullPolicy: IfNotPresent
          command: ["antrea-agent"]
          # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).-
          args:
            - "--config=/etc/antrea/antrea-agent.conf"
            - "--logtostderr=false"
            - "--log_dir=/var/log/antrea"
            - "--alsologtostderr"
            - "--log_file_max_size=100"
            - "--log_file_max_num=4"
          env:
            # Provide pod and node information for clusterinformation CRD.
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          resources:
            requests:
              cpu: 200m
          ports:
            - containerPort: 10350
              name: api
              protocol: TCP
          livenessProbe:
            httpGet:
              host: localhost
              path: /livez
              port: api
              scheme: HTTPS
            initialDelaySeconds: 10
            timeoutSeconds: 5
            periodSeconds: 10
            failureThreshold: 5
          readinessProbe:
            httpGet:
              host: localhost
              path: /readyz
              port: api
              scheme: HTTPS
            initialDelaySeconds: 5
            timeoutSeconds: 5
            periodSeconds: 10
            # In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea
            # Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this
            # scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a
            # rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection.
            failureThreshold: 8
          securityContext:
            privileged: true
          volumeMounts:
          - name: antrea-config
            mountPath: /etc/antrea/antrea-agent.conf
            subPath: antrea-agent.conf
            readOnly: true
          - name: host-var-run-antrea
            mountPath: /var/run/antrea
          - name: host-var-run-antrea
            mountPath: /var/run/openvswitch
            subPath: openvswitch
          # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME.
          # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation.
          - name: host-var-run-antrea
            mountPath: /var/lib/cni
            subPath: cni
          # We need to mount both the /proc directory and the /var/run/netns directory so that
          # antrea-agent can open the network namespace path when setting up Pod
          # networking. Different container runtimes may use /proc or /var/run/netns when invoking
          # the CNI commands. Docker uses /proc and containerd uses /var/run/netns.
          - name: host-var-log-antrea
            mountPath: /var/log/antrea
          - name: host-proc
            mountPath: /host/proc
            readOnly: true
          - name: host-var-run-netns
            mountPath: /host/var/run/netns
            readOnly: true
            # When a container is created, a mount point for the network namespace is added under
            # /var/run/netns on the host, which needs to be propagated to the antrea-agent container.
            mountPropagation: HostToContainer
          - name: xtables-lock
            mountPath: /run/xtables.lock
          - name: host-pod-resources
            mountPath: /var/lib/kubelet/pod-resources
        - name: antrea-ovs
          image: {{ REGISTRY_URL | default('https://docker.io') | urlsplit('hostname') }}{% if REGISTRY_URL | default('https://docker.io') | urlsplit('port') is not none %}:{{REGISTRY_URL | default('https://docker.io') | urlsplit('port')}}{% endif %}{% if REGISTRY_URL | default('https://docker.io') | urlsplit('path') is not none %}{{ REGISTRY_URL | default('https://docker.io') | urlsplit('path') }}{% endif %}/antrea/antrea-agent-ubuntu:v2.3.0
          imagePullPolicy: IfNotPresent
          resources:
            requests:
              cpu: 200m
          command: ["start_ovs"]
          args:
            - "--log_file_max_size=100"
            - "--log_file_max_num=4"
          securityContext:
            capabilities:
              add:
                - SYS_NICE
                - NET_ADMIN
                - SYS_ADMIN
                - IPC_LOCK
          livenessProbe:
            exec:
              # docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround.
              # https://github.com/kubernetes/kubernetes/issues/51901
              command:
                - /bin/sh
                - -c
                - timeout 10 container_liveness_probe ovs
            initialDelaySeconds: 5
            timeoutSeconds: 10
            periodSeconds: 10
            failureThreshold: 5
          volumeMounts:
          - name: host-var-run-antrea
            mountPath: /var/run/openvswitch
            subPath: openvswitch
          - name: host-var-log-antrea
            mountPath: /var/log/openvswitch
            subPath: openvswitch
      volumes:
        - name: antrea-config
          configMap:
            name: antrea-config
        - name: host-cni-conf
          hostPath:
            path: /etc/cni/net.d
        - name: host-cni-bin
          hostPath:
            path: /opt/cni/bin
        - name: host-proc
          hostPath:
            path: /proc
        - name: host-var-run-netns
          hostPath:
            path: /var/run/netns
        - name: host-var-run-antrea
          hostPath:
            path: /var/run/antrea
            # we use subPath to create run subdirectories for different component (e.g. OVS) and
            # subPath requires the base volume to exist
            type: DirectoryOrCreate
        - name: host-var-log-antrea
          hostPath:
            path: /var/log/antrea
            # we use subPath to create logging subdirectories for different component (e.g. OVS)
            type: DirectoryOrCreate
        - name: host-lib-modules
          hostPath:
            path: /lib/modules
        - name: xtables-lock
          hostPath:
            path: /run/xtables.lock
            type: FileOrCreate
        - name: host-pod-resources
          hostPath:
            path: /var/lib/kubelet/pod-resources
            type: Directory
---
# Source: antrea/templates/controller/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: antrea-controller
  namespace: kube-system
  labels:
    app: antrea
    component: antrea-controller
spec:
  strategy:
    # Ensure the existing Pod is stopped before the new one is created.
    type: Recreate
  selector:
    matchLabels:
      app: antrea
      component: antrea-controller
  replicas: 1
  template:
    metadata:
      annotations:
        # Automatically restart Pod if the ConfigMap changes
        # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
        checksum/config: 6b0b82d61a89692c8092a44ac0a7bb02647254384f5246282bbb6be56415d08b
      labels:
        app: antrea
        component: antrea-controller
    spec:
      nodeSelector:
        kubernetes.io/os: linux
      hostNetwork: true
      priorityClassName: system-cluster-critical
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
        - effect: NoSchedule
          key: node-role.kubernetes.io/control-plane
        - effect: NoExecute
          key: node.kubernetes.io/unreachable
          operator: Exists
          tolerationSeconds: 0
      serviceAccountName: antrea-controller
      containers:
        - name: antrea-controller
          image: {{ REGISTRY_URL | default('https://docker.io') | urlsplit('hostname') }}{% if REGISTRY_URL | default('https://docker.io') | urlsplit('port') is not none %}:{{REGISTRY_URL | default('https://docker.io') | urlsplit('port')}}{% endif %}{% if REGISTRY_URL | default('https://docker.io') | urlsplit('path') is not none %}{{ REGISTRY_URL | default('https://docker.io') | urlsplit('path') }}{% endif %}/antrea/antrea-controller-ubuntu:v2.3.0
          imagePullPolicy: IfNotPresent
          resources:
            requests:
              cpu: 200m
              memory: 100Mi
          command: ["antrea-controller"]
          # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).
          args:
            - "--config=/etc/antrea/antrea-controller.conf"
            - "--logtostderr=false"
            - "--log_dir=/var/log/antrea"
            - "--alsologtostderr"
            - "--log_file_max_size=100"
            - "--log_file_max_num=4"
          env:
            # Provide pod and node information for clusterinformation CRD.
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            # Provide ServiceAccount name for validation webhook.
            - name: SERVICEACCOUNT_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.serviceAccountName
            - name: ANTREA_CONFIG_MAP_NAME
              value: antrea-config
          ports:
            - containerPort: 10349
              name: api
              protocol: TCP
          readinessProbe:
            httpGet:
              host: localhost
              path: /readyz
              port: api
              scheme: HTTPS
            initialDelaySeconds: 5
            timeoutSeconds: 5
            periodSeconds: 10
            failureThreshold: 5
          livenessProbe:
            httpGet:
              host: localhost
              path: /livez
              port: api
              scheme: HTTPS
            timeoutSeconds: 5
            periodSeconds: 10
            failureThreshold: 5
          volumeMounts:
            - name: antrea-config
              mountPath: /etc/antrea/antrea-controller.conf
              subPath: antrea-controller.conf
              readOnly: true
            - name: antrea-controller-tls
              mountPath: /var/run/antrea/antrea-controller-tls
            - name: host-var-log-antrea
              mountPath: /var/log/antrea
      volumes:
        - name: antrea-config
          configMap:
            name: antrea-config
        # Make it optional as we only read it when selfSignedCert=false.
        - name: antrea-controller-tls
          secret:
            secretName: antrea-controller-tls
            defaultMode: 0400
            optional: true
        - name: host-var-log-antrea
          hostPath:
            path: /var/log/antrea
            type: DirectoryOrCreate
---
# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  name: v1beta2.controlplane.antrea.io
  labels:
    app: antrea
    served-by: antrea-controller
spec:
  group: controlplane.antrea.io
  groupPriorityMinimum: 100
  version: v1beta2
  versionPriority: 100
  service:
    name: antrea
    namespace: kube-system
---
# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  name: v1beta1.system.antrea.io
  labels:
    app: antrea
    served-by: antrea-controller
spec:
  group: system.antrea.io
  groupPriorityMinimum: 100
  version: v1beta1
  versionPriority: 100
  service:
    name: antrea
    namespace: kube-system
---
# Source: antrea/templates/controller/apiservices.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  name: v1alpha1.stats.antrea.io
  labels:
    app: antrea
    served-by: antrea-controller
spec:
  group: stats.antrea.io
  groupPriorityMinimum: 100
  version: v1alpha1
  versionPriority: 100
  service:
    name: antrea
    namespace: kube-system
---
# Source: antrea/templates/webhooks/mutating/crdmutator.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: "crdmutator.antrea.io"
  labels:
    app: antrea
    served-by: antrea-controller
webhooks:
  - name: "acnpmutator.antrea.io"
    clientConfig:
      service:
        name: "antrea"
        namespace: kube-system
        path: "/mutate/acnp"
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: ["crd.antrea.io"]
        apiVersions: ["v1beta1"]
        resources: ["clusternetworkpolicies"]
        scope: "Cluster"
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    timeoutSeconds: 5
  - name: "annpmutator.antrea.io"
    clientConfig:
      service:
        name: "antrea"
        namespace: kube-system
        path: "/mutate/annp"
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: ["crd.antrea.io"]
        apiVersions: ["v1beta1"]
        resources: ["networkpolicies"]
        scope: "Namespaced"
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    timeoutSeconds: 5
---
# Source: antrea/templates/webhooks/validating/crdvalidator.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: "crdvalidator.antrea.io"
  labels:
    app: antrea
    served-by: antrea-controller
webhooks:
  - name: "tiervalidator.antrea.io"
    clientConfig:
      service:
        name: "antrea"
        namespace: kube-system
        path: "/validate/tier"
    rules:
      - operations: ["CREATE", "UPDATE", "DELETE"]
        apiGroups: ["crd.antrea.io"]
        apiVersions: ["v1beta1"]
        resources: ["tiers"]
        scope: "Cluster"
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    timeoutSeconds: 5
  - name: "acnpvalidator.antrea.io"
    clientConfig:
      service:
        name: "antrea"
        namespace: kube-system
        path: "/validate/acnp"
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: ["crd.antrea.io"]
        apiVersions: ["v1beta1"]
        resources: ["clusternetworkpolicies"]
        scope: "Cluster"
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    timeoutSeconds: 5
  - name: "annpvalidator.antrea.io"
    clientConfig:
      service:
        name: "antrea"
        namespace: kube-system
        path: "/validate/annp"
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: ["crd.antrea.io"]
        apiVersions: ["v1beta1"]
        resources: ["networkpolicies"]
        scope: "Namespaced"
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    timeoutSeconds: 5
  - name: "anpvalidator.antrea.io"
    clientConfig:
      service:
        name: "antrea"
        namespace: kube-system
        path: "/validate/anp"
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: ["policy.networking.k8s.io"]
        apiVersions: ["v1alpha1"]
        resources: ["adminnetworkpolicies"]
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    timeoutSeconds: 5
  - name: "banpvalidator.antrea.io"
    clientConfig:
      service:
        name: "antrea"
        namespace: kube-system
        path: "/validate/banp"
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: ["policy.networking.k8s.io"]
        apiVersions: ["v1alpha1"]
        resources: ["baselineadminnetworkpolicies"]
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    timeoutSeconds: 5
  - name: "clustergroupvalidator.antrea.io"
    clientConfig:
      service:
        name: "antrea"
        namespace: kube-system
        path: "/validate/clustergroup"
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: ["crd.antrea.io"]
        apiVersions: ["v1beta1"]
        resources: ["clustergroups"]
        scope: "Cluster"
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    timeoutSeconds: 5
  - name: "groupvalidator.antrea.io"
    clientConfig:
      service:
        name: "antrea"
        namespace: "kube-system"
        path: "/validate/group"
    rules:
      - operations: [ "CREATE", "UPDATE" ]
        apiGroups: [ "crd.antrea.io" ]
        apiVersions: [ "v1beta1" ]
        resources: [ "groups" ]
        scope: "Namespaced"
    admissionReviewVersions: [ "v1", "v1beta1" ]
    sideEffects: None
    timeoutSeconds: 5
  - name: "externalippoolvalidator.antrea.io"
    clientConfig:
      service:
        name: "antrea"
        namespace: kube-system
        path: "/validate/externalippool"
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: ["crd.antrea.io"]
        apiVersions: ["v1alpha2", "v1beta1"]
        resources: ["externalippools"]
        scope: "Cluster"
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    timeoutSeconds: 5
  - name: "egressvalidator.antrea.io"
    clientConfig:
      service:
        name: "antrea"
        namespace: kube-system
        path: "/validate/egress"
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: ["crd.antrea.io"]
        apiVersions: ["v1beta1"]
        resources: ["egresses"]
        scope: "Cluster"
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    timeoutSeconds: 5
  - name: "ippoolvalidator.antrea.io"
    clientConfig:
      service:
        name: "antrea"
        namespace: kube-system
        path: "/validate/ippool"
    rules:
      - operations: ["CREATE", "UPDATE", "DELETE"]
        apiGroups: ["crd.antrea.io"]
        apiVersions: ["v1beta1"]
        resources: ["ippools"]
        scope: "Cluster"
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    timeoutSeconds: 5
  - name: "supportbundlecollectionvalidator.antrea.io"
    clientConfig:
      service:
        name: "antrea"
        namespace: kube-system
        path: "/validate/supportbundlecollection"
    rules:
      - operations: ["CREATE", "UPDATE", "DELETE"]
        apiGroups: ["crd.antrea.io"]
        apiVersions: ["v1alpha1"]
        resources: ["supportbundlecollections"]
        scope: "Cluster"
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    timeoutSeconds: 5
  - name: "traceflowvalidator.antrea.io"
    clientConfig:
      service:
        name: "antrea"
        namespace: kube-system
        path: "/validate/traceflow"
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: ["crd.antrea.io"]
        apiVersions: ["v1beta1"]
        resources: ["traceflows"]
        scope: "Cluster"
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    timeoutSeconds: 5
